F E B R U A R Y 2 0 0 7 K E E P I N G G O O D C O M P A N I E S  

The internal auditor within any organisation is

an important ally and supporter of the

Company Secretary. Separately, they represent the

two primary organisational managers who focus

entirely on governance and risk. Together, they

can represent a real force in terms of changing

behaviour and driving improvement in

governance, risk management and control.

While most organisations will have an internal

audit function, recent discussions with a range of 

Company Secretaries around Australia suggest that

Company Secretaries are not effectively using

internal audit to support their objectives.

Company Secretary, internal auditand governance

A common description of corporate governance is

as a ‘Corporate Governance Table’ whereby

corporate governance has four cornerstones or

‘legs’, being:

• the board of directors

• executive management

• internal auditors, and

• external auditors.1

The role of the Company Secretary varies from

organisation to organisation, and can be anything

from a part of the board of directors leg, to part of 

the executive management leg, to the ‘glue’ the

holds the table together. Our view is that the

Company Secretary can add the most value to

their organisation by interacting with all of the

legs of the table to assist in driving the governance

agenda.

With internal audit serving as one of the

table’s legs, the Company Secretary can get real

support from internal audit in achieving

governance objectives. In fact, internal auditors

routinely help with its leg of the governance table

by assisting with:

• how to better manage risks

• how to improve the organisation’s compliance

with laws and regulations, and

• promoting the importance of ethics and a

positive corporate culture.

Observations of interaction betweenthe Company Secretary and internalaudit

Our observations across a range of organisations of 

varying size, complexity, industry and geography

suggest that the interaction between the Company

Secretary and internal audit is often minimal.

Situations where interaction could be occurring

but often is not, include:

• Company Secretaries not receiving relevant

internal audit reports

• Company Secretaries not providing input into

the internal audit plan

• Company Secretaries not being aware of 

internal audit findings in the area of corporate

compliance

• Company Secretaries not using internal audit

to provide oversight in connection with

secretarial responsibilities

• inconsistencies between advice and messages

between Company Secretaries and internal

audit, and

• internal audit not regularly using the

Company Secretary as a source of evidence

and insight across the organisation.

Obviously these deficiencies do not apply to all

organisations: we have seen evidence in a number

of organisations where the interaction between the

two roles is strong, active and very healthy. Further,

the need and nature of the interaction between the

two roles is heavily dependent on how the roles of 

the Company Secretary and internal auditor are

utilised within the organisation.

Over the past decade, both roles have

changed. Both have moved from largely

operational functions toward a more strategic role

providing advice and support to improve

organisational performance. Arguably, both

professions are still working out how best to

24

F EATURE

Company Secretary and internal

auditor: joint guardians of 

governance, risk management

and controlBy Mark Harrison, Managing Director, Protiviti

 

achieve these more strategic roles, and what tools

(both within and outside an organisation) should be

used to achieve their objectives. This may be one

reason why the two professions are not currently

best utilising the services of the other to achieve

improvements in performance and governance

within their organisations.

In conversations with Company Secretaries,

another potential cause for the lack of interaction

between the Company Secretary and the internal

auditor emerges: a lack of understanding of what

exactly an internal auditor can or should do within

an organisation.

What does the internal auditor do?

The Institute of Internal Auditors, the professional

body for internal auditors around the world,

publishes a Professional Practices Framework which

includes the following definition:

Internal auditing is an independent, objective

assurance and consulting activity designed to add

value and improve an organisation’s operations. It

helps an organisation accomplish its objectives by

bringing a systematic disciplined approach to

evaluate and improve the effectiveness of risk

management, control and governance processes.2

The manner in which this assurance and

consulting is provided can vary. In some

organisations, all internal audit activity takes the

form of discrete reviews and reports which are

tailored to areas of high risk or high significance to

the organisation or where there is specific reliance

on controls. In other organisations internal audit

also provides training, advice and consultation, and

serves on various management committees.

In any of these capacities, internal audit acts as a

change agent to identify areas where processes, people

or technology are not performing at an optimal or

appropriate level and recommend improvements. As

noted in a recent publication by Protiviti:

The true measure of performance for internal audit

is the ability to effect and facilitate organisational

change that fosters continuous improvement and

gradual progression up the risk management

continuum. The true worth of internal audit is not

measured in the weight of after-the-fact

recommendations, but in the ability to provide just-

in-time advice and influence positive change that

adds value to the organisation… internal audit

should be at the forefront of positive change by

recommending and facilitating the process of 

aligning people, processes and technology to

achieve improved sustainable performance.3

This can equally be applied to governance

arrangements and, in fact, much of internal audit’s

work assists with establishing and maintaining good

corporate governance.

The internal audit profession has moved

significantly over the past decade. It is now by far

the exception rather than the rule that the internal

auditor focuses entirely on financial transactions

and processes. Further, internal audit is rarely

devoted specifically to ‘tick and flick’ auditing of 

transactions. Today’s internal audit function is a

multi-disciplinary function that goes beyond simple

compliance to efficiency and effectiveness, considers

operational (and in some cases legal) matters as well

as corporate process, and possesses specific expertise

in areas such as governance, risk management and

ethics. The purview of today’s internal audit

function covers the full expanse of an organisation

from board performance and operations through to

detailed business processes and technology and

environmental and stakeholder management. This

broad area of responsibility and its requisite skillset,

together with the heavy emphasis on risk

management and governance, provide an important

tool which can be used to assist the governance

professional.

How can the Company Secretaryutilise internal audit most effectively?

Internal audit represents a valuable resource to the

Company Secretary as it seeks to meet business

objectives, and especially as it relates to the

objectives of internal control:

• efficiency and effectiveness of operations

• reliability of financial reporting

• compliance with applicable laws and

regulations, and

• the safeguarding of assets.

Each organisation’s internal audit function

possesses unique individuals, skills and

competencies, which management broadly (and the

Company Secretary specifically) needs to understand

and then use effectively in helping meet its

objectives. Internal audit should not be a function

exclusively used by the audit committee. An internal

audit function, by its very nature of being internal,

is a part of management’s systems of internal

control and governance and thus should be an asset

and tool for management.

While the charter of, need for and capability of 

each organisation’s internal audit function will vary,

Company Secretaries may find the following

suggestions helpful in determining how to best

leverage internal audit resources to achieve strong,

well-designed and effective risk management,

internal control and corporate governance processes.

• Utilise internal audit resources as part of the

organisation’s enterprise-wide risk management

and governance management to identify, source,

measure, prioritise and develop a plan to address

and manage the most significant business and

governance risks the organisation faces in

achieving its business objectives.

25

F EATURE

 

26

I c o n t i n u e d  

• Provide input to the internal audit function in the

development of the annual internal audit plan and

changes to the plan to focus limited resources on

risks and areas of the greatest importance.

• Discuss and develop plans for internal audit to

assist in efforts related to the organisation’s efforts

to comply with key legislation, (and for publicly

listed organisations) the Australian Stock Exchange

Principles of Good Corporate Governance and Best

Practice Recommendations.

• Consider how the internal audit function might be

used as a rotational management-training program

for the organisation’s governance professionals and

other managers.

• Support the internal audit function in connection

with key findings, and its plan for process owners to

make changes and improvements to internal

controls, governance and management

arrangements, and process issues and deficiencies.

• Visibly support and encourage the mission and

effort of the internal audit function. This should

also be reciprocated with the internal auditor visibly

supporting the role and objectives of the Company

Secretary.

• Work closely with the audit committee to help

ensure the internal audit function remains objective

and adds value to the organisation.

 Joint guardians of governance, riskmanagement and control

Given the consistency of objectives of today’s Company

Secretary and internal audit (improved governance, risk

management, compliance and control) there is

significant scope for the two roles to work closely

together to achieve those objectives. By bringing

different perspectives, skills and authorities together to

bear upon the governance, risk management,

compliance and control of an organisation, there is real

scope to drive improvements in organisational

performance and conformance.

 Mark Harrison is a Managing Director of Protiviti, an

independent international consultancy providing advice and 

support in risk management. For more information on

 Protiviti, visit www.protiviti.com.au. Mark can be contacted 

on (02) 9240 0606 or at mark.harrison@protiviti.com.au.

Notes

1 Bruce Adamec, Linda Leinicke, Joyce Ostrosky, W. Max

Rexroad, ‘Getting a Leg Up’, Internal Auditor, June 2005, p 42

2 Institute of Internal Auditors, Framework for the Standards for 

the Professional Practice of Internal Auditing (Administrative

Directive No. 1)

3 Protiviti, Top Priorities for Internal Audit in a Changing 

Environment , 2006, p 3G

F E B R U A R Y 2 0 0 7 K E E P I N G G O O D C O M P A N I E S  

F EATURE