Reading Time: 5 minutes

Reviewing the governance framework for a bank in the British Virgin Islands (BVI) about 10 years ago, I noted that the most impressive governance review was performed by the internal auditor. 

It was concise, systematic, insightful, and up-to-date with the latest relevant national and international developments.

Working as a consultant to companies on strategy, compliance, audit, risk management and then with boards, I am often struck by the lack of realistic knowledge of many boards of what is really going in the organisation. 

Internal audit can provide an even stronger position than an external consultant. 

Internal audit functions are instrumental in closing the gap between strategic planning and real-world application. The core function of internal audit, according to the International Professional Practices Framework (IPPF) as promulgated by the Institute of Internal Auditors (IIA), is to “enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight”.

This mission statement encapsulates the essence of what internal audit aims to achieve within an organisation. It highlights the dual role of internal audit in not only assessing and improving the effectiveness of risk management, governance, and control processes but also in providing valuable insights and advice to further organizational objectives.

Therefore, whenever you have the large disconnects between board, internal audit, and executives, as unveiled by a recent IIA OnRisk study in 2022, this is pointing towards unrealised potential (as well as risks to achieving even that which the organisation is already committed to).

More than that – it speaks to some fundamental approaches to management, governance, and good delegation in general. Any time someone or a body delegates to or enters into agreement with another party for the performance of activities, generation of outputs and outcomes, the party that is delegating and accountable for the results, should not only rely on the reports of those to whom it has delegated, but it needs to have a direct view onto what is going on – it requires an audit function. 

In larger organisations this function is performed for the board by internal audit, that it is necessary aspect for effective governance.   

So what does regional corporate governance guidance say about the role of and relationship with internal audit?

Integrated governance requires internal audit functions

Let us step aside for a moment to look at the IIA OnRisk 2022 report on and ask ourselves what is essential to integrated governance. Among the key insights in the report are the following:

There are notable variations on key risk areas that showed up among risk management players: For example, boards were significantly more likely to rate disruptive innovation as a highly relevant risk (77 per cent) than were senior executives (50 per cent). 

Significant gaps existed between their assessment of the organisational capability to respond to risks that they consider to be highly relevant for their organisations. For example, cybersecurity had an average rating of 87 per cent in terms of relevance to the organisation, but organisational capability only 42 per cent rating, and average personal knowledge only 31 per cent. Perceptions of risk relevance vary greatly across the ESG components. 

Organisational governance dominated in terms of relevance over Social Sustainability and Environmental Sustainability in the minds of survey participants.

ISO 37000 as a national organisational governance standard

ISO 37000:2021 provides comprehensive guidance on the governance of organizations, underscoring principles such as social responsibility, risk governance, and long-term viability.

Caribbean standardization bodies, and through them experts and stakeholders from across industry and different types of organisations across Trinidad & Tobago, Saint Lucia and Jamaica were actively involved in developing the ISO 37000 standard between 2017 and 2021.

For Caribbean entities, the adoption of ISO 37000 as the national standard in Trinidad and Tobago, Saint Lucia and Jamaica signifies a commitment to not just regulatory compliance but to sustainable, ethical, and effective governance. 

This global and now also national standard applies to all organisations, irrespective of size or sector, and offers a blueprint for Caribbean corporations aiming to align with international best practices while catering to regional demands.

Assurance in oversight: Actionable strategies for Caribbean enterprises

ISO 37000 underscores the governing body’s responsibility for effective oversight of the organisation. This includes ensuring that an internal control system is implemented and functioning as intended. The standard clarifies the nature and elements of the internal control system and assurance processes, integrating them into the organisation’s governance framework.

The oversight responsibility encompasses several key actions:

• Implementation of an internal control system (ICS): This system should include risk management, compliance management, and financial control systems to help the organisation manage its risks and comply with legal and ethical standards.

• Assurance of governance system design and operation: The governing body must assure itself that the governance system is appropriately designed and operating effectively. This involves a continuous assessment of the system’s effectiveness in achieving the organisation’s objectives

• Direct verification and reporting: The governing body should engage in direct verifications and receive direct reports from independent control functions, including risk management, compliance management, and internal audit. These reports provide the governing body with insights into the effectiveness of the governance processes and the internal control system. 

Role of internal audit function

The internal audit function plays a pivotal role in the assurance process within the governance framework of ISO 37000. It acts as an independent provider of assurance to the governing body, focusing on the effectiveness of governance processes, risk management, and compliance management. Key aspects of the internal audit function include:

• Independence and objectivity: Internal audit must operate independently from management to provide objective assurance on the effectiveness of the organisation’s governance, risk management, and control processes

• Reporting to the governing body: Internal audit reports directly to the governing body, typically through the audit committee. This reporting structure ensures that the governing body receives unbiased information about the organisation’s internal controls and risk management practices

• Enhancing risk management processes: By providing objective assurance and guidance, the internal audit function helps to enhance the organisation’s risk management processes, ensuring that risks are appropriately identified, assessed, and managed

In summary, ISO 37000:2021 places significant emphasis on the role of the Internal Audit function in providing assurance to the governing body regarding the effectiveness of the organisation’s governance, risk management, and control processes. The standard outlines a clear framework for oversight and assurance, highlighting the importance of an independent and objective internal audit function in supporting good governance practices.

Dr Axel Kravatzky is the managing partner of TT-based Syntegra-360 Ltd, vice-chair of ISO/TC309 Governance of Organizations and president of EUROCHAMTT. He enables companies to flourish, helping them increase the sustainable value they generate through integrated governance, certified management systems, and transformational leadership.