Corresponding author: Robert Bogtstra ( r.bogtstra@fsvriskadvisory.nl ) Academic editor: Chris D. Knoops
© 2020 Robert Bogtstra, Inge Garretsen, Remko Renes.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
Bogtstra R, Garretsen I, Renes R (2020) Compliant in principle! and in practice? Internal audit at listed companies in the Netherlands: beyond compliance with the Dutch Corporate Governance Code. Maandblad Voor Accountancy en Bedrijfseconomie 94(3/4): 93-101. https://doi.org/10.5117/mab.94.50021
|
The revised Dutch Corporate Governance Code of 2016 (hereafter “the Code”) comprises provisions regarding the existence of an internal audit function. Following the comply or explain principle of the Code, Euronext Amsterdam listed companies with a registered office in the Netherlands either have established an internal audit function or have to explain why they did not.
Our research shows that the number of listed companies with an internal audit function has since grown. In 2016 53% of Euronext Amsterdam listed companies with their registered office in the Netherlands have established an internal audit function; in 2018 this figure is 64%. More than half of these listed companies have an in-house independent internal audit function, whereas other companies have internal audit functions with different characteristics, such as a combined internal audit and risk management function or have outsourced the internal audit function.
The majority of the companies without an internal audit function provide inadequate arguments for this absence. They thereby do not meet the standards as set forth in the Code. In most cases, the argument for not having an internal audit function is: “the organization is too small”. This is not a valid argument, as the Code specifically addresses this situation stating that in case the size of a company is not suited for an internal audit function, outsourcing may be an appropriate alternative.
We conclude that management boards should give this topic better thought and give better insight in their judgement by explaining the arguments. We therefore advocate that the principle of “comply or explain” should be “comply and explain”. Such is the case in the South African corporate governance code (King IV). The effect will be that management boards mindfully have to elaborate on how they obtain independent assurance on the company’s governance, risk management and control systems.
Internal Audit, Dutch Corporate Governance Code, listed companies, Euronext Amsterdam
The research explores as to what extent Euronext Amsterdam listed companies with a registered office in the Netherlands comply to the revised Dutch Corporate Governance Code (2016) provisions regarding internal audit. Boards can benefit from the research by obtaining insight into the variety of established internal audit functions and various explanations for not establishing an internal audit function.
In 2017 we have researched internal audit functions at Euronext Amsterdam listed companies with its registered office in the Netherlands: “Internal Audit Monitor 2017”. In this research we provided insight into the number of internal audit functions established with Euronext Amsterdam listed companies with its registered office in the Netherlands (hereafter: “Dutch listed companies in the Netherlands”) and insight into the nature and composition of these internal audit functions. In 2020, a follow-up research study – “Internal Audit Monitor 2019” – will be published with an updated overview of the current state of internal audit functions at Dutch listed companies in the Netherlands. The Internal Audit Monitor 2019 will also provide a detailed assessment of the extent of compliance and non-compliance with the internal audit provisions comprised in the Code.
In the Netherlands, the Code is subject to annual monitoring and sometimes revision by the Monitoring Committee Corporate Governance Code (hereafter “monitoring committee”) appointed by the Minister for Economic Affairs. The revised Code of 2016 comprises provisions regarding the existence of an internal audit function. Following the comply or explain principle of the Code, Dutch listed companies in the Netherlands either have established an internal audit function or explain where they do not comply, why and to what extent they deviate from the Code. In this article we will give detailed insight into the quality of explanations of companies that do not have an internal audit function.
Before we discuss the results of our research, we first describe in section 2 the applied research method and explain the composition of the researched group of listed companies. Section 3 contains a brief update on the developments in nature and composition of internal audit functions of Dutch listed companies in the Netherlands in 2016–2018. After this, we offer an analysis of the various explanations provided by companies for deviation of provisions 1.3.6. (Absence of an internal audit department) in the Code in section 4. In section 5 we summarize and evaluate the results of three successive years of monitoring internal audit functions, followed by some recommendations.
The scope of our research comprises companies listed on Euronext Amsterdam with their registered office in the Netherlands. Euronext Amsterdam listed companies are classified in three indices based upon market capitalization and a remaining group of smaller local companies. The AEX-index comprises large companies, the AMX-index comprises midcap companies and the AScX-index small companies. The composition of these indices changes throughout the year due to various events such as initial public offerings, de-listings, mergers and takeovers. Local-listed companies are companies listed at Euronext Amsterdam, but who are not part of the mentioned index categories. For every year we classified all Dutch listed companies in the Netherlands based upon the year-end composition of the stock exchange and the indices. Furthermore, (open end) investment companies were not included in our research, as the Code does not apply to them.
The assessment is based upon desk research of public records such as annual reports for the years 2016 through 2018, management board and audit committee regulations, Corporate Governance statements, press releases, LinkedIn profiles and job advertisements.
Good corporate governance has been widely discussed in the past decade. In the public debate, it has become clear that many experts agree that an internal audit function is an essential part of good governance. A Position Paper of the Institute of Internal Auditors “Internal auditing’s role in corporate governance” (2018) states that “internal audit’s role in governance is vital. Internal audit provides objective assurance and insight on the effectiveness and efficiency of risk management, internal control, and governance processes.” Different corporate governance codes (e.g. United Kingdom (2018), Belgium (2020), South Africa (2016), Norway (2018), Portugal (2016) etc.) all mention the importance of an internal audit function as part of good governance. The revised Code of the Netherlands (2016) also underlines that vision.
In this section we provide insight into the internal audit function in practice and into the nature and composition of the internal audit function with Dutch listed companies in the Netherlands for the years 2016 through 2018. We classified their nature and composition based on their characteristics using the categorization included in Table
The research entails companies listed at Euronext Amsterdam with its registered office in the Netherlands. The Dutch Code formally does not apply to companies with its registered office outside the Netherlands. However, we are of the opinion that an internal audit function is a valuable building block of good corporate governance for comparable companies, regardless the location of the registered office. Therefore, we at times also provide insight into Euronext Amsterdam listed companies with their registered office outside the Netherlands.
Categories of internal audit functions.
Categories | Description |
---|---|
Yes – Internal | A full independent internal audit function is in place, where internal auditor(s) are employed by the company and report to the board of the company. Internal audit is concerned with providing insight and assurance on important control measures and on the system of internal control in general. |
Yes – Outsourced | Full outsourcing of the internal audit function to a third party or where the head of internal audit is outsourced to a third party. |
Yes – Combination | Second line and third line activities are the responsibility of one person (often the head of internal audit). |
Yes – Different | The scope of the internal audit function is limited. Only part of the company’s system of internal control is in scope of the internal audit function. |
No – Next year | It is mentioned that the organization will start with an internal audit function in the coming year. |
No – Explain | An explanation and/or reason for not having an internal audit function is given. |
No – No explain | There is no mentioning of an internal audit function or it is mentioned that there is no internal audit function without giving an explanation and/or reason for not having one. |
The number of internal audit functions increased steadily during the years 2016 through 2018. In 2016 53% of listed companies have an internal audit function. At year-end 2018 this percentage has increased to 64%, as is shown in Figure
Nature and composition of the internal audit function at listed companies in the Netherlands for the years 2016–2018.
Internal audit function at listed companies in the Netherlands in the years 2016–2018.
Euronext listed companies with registered office in the Netherlands | 2018 | 2017 | 2016 | |||
---|---|---|---|---|---|---|
Yes – Internal | 51 | 53% | 46 | 48% | 41 | 43% |
Yes – Outsourced | 6 | 6% | 7 | 7% | 4 | 4% |
Yes – Combination | 4 | 4% | 5 | 5% | 5 | 5% |
Yes – Different | 1 | 1% | 2 | 2% | 1 | 1% |
No – Next year | 1 | 1% | 1 | 1% | 7 | 7% |
No – Explain | 31 | 32% | 32 | 33% | 24 | 25% |
No – No explain | 3 | 3% | 4 | 4% | 14 | 15% |
Total | 97 | – | 97 | – | 96 | – |
IAF | 62 | 64% | 60 | 62% | 51 | 53% |
no IAF | 35 | 36% | 37 | 38% | 45 | 47% |
This trend continued in 2019 since already one company has indicated that an internal audit function will be established in 2019.
Combined with foreign registered listed companies a total of 65% – compared to 54% in 2016 – of the companies have established an internal audit function. More than half (53%) have an in-house independent internal audit function. Other companies have internal audit functions with different characteristics, such as internal audit combined with risk management or an outsourced internal audit function.
Still 36% of all Dutch listed companies in the Netherlands do not have an internal audit function. In 2016, 15% offered no explanation, in 2018 this figure dropped to 3%. However, most companies still offer arguments for this choice. For more details we refer to section 4.3 Quality of explanation of non-compliance.
In the first year after the revised Code came into force, in 2017, eight new internal audit functions were established at Dutch listed companies in the Netherlands. In the course of 2018 – the second year – two more companies followed and established an internal audit function.
Hereafter we will provide more detailed insight into the nature and composition of the internal audit function per index. Table
Internal audit function at listed companies as per Stock Exchange Index in the years 2016–2018.
Euronext listed companies with registered office in the Netherlands | 2018 | 2017 | 2016 | |||
---|---|---|---|---|---|---|
AEX | ||||||
Yes – Internal | 19 | 90% | 19 | 90% | 19 | 90% |
Yes – Outsourced | 0 | 0% | 0 | 0% | 0 | 0% |
Yes – Combination | 2 | 10% | 2 | 10% | 2 | 10% |
Yes – Different | 0 | 0% | 0 | 0% | 0 | 0% |
No – Next year | 0 | 0% | 0 | 0% | 0 | 0% |
No – Explain | 0 | 0% | 0 | 0% | 0 | 0% |
No – No explain | 0 | 0% | 0 | 0% | 0 | 0% |
21 | – | 21 | – | 21 | – | |
AMX | ||||||
Yes – Internal | 18 | 81% | 16 | 72% | 13 | 59% |
Yes – Outsourced | 2 | 9% | 3 | 13% | 3 | 13% |
Yes – Combination | 1 | 5% | 1 | 5% | 1 | 5% |
Yes – Different | 0 | 0% | 1 | 5% | 1 | 5% |
No – Next year | 0 | 0% | 0 | 0% | 2 | 9% |
No – Explain | 1 | 5% | 1 | 5% | 2 | 9% |
No – No explain | 0 | 0% | 0 | 0% | 0 | 0% |
22 | – | 22 | – | 22 | – | |
AScX | ||||||
Yes – Internal | 9 | 42% | 8 | 36% | 7 | 30% |
Yes – Outsourced | 2 | 10% | 3 | 14% | 0 | 0% |
Yes – Combination | 1 | 5% | 1 | 5% | 2 | 9% |
Yes – Different | 0 | 0% | 0 | 0% | 0 | 0% |
No – Next year | 1 | 5% | 1 | 5% | 4 | 17% |
No – Explain | 8 | 38% | 9 | 40% | 8 | 35% |
No – No explain | 0 | 0% | 0 | 0% | 2 | 9% |
21 | – | 22 | – | 23 | – | |
Local | ||||||
Yes – Internal | 5 | 15% | 3 | 9% | 2 | 7% |
Yes – Outsourced | 2 | 6% | 1 | 3% | 1 | 3% |
Yes – Combination | 0 | 0% | 1 | 3% | 0 | 0% |
Yes – Different | 1 | 3% | 1 | 3% | 0 | 0% |
No – Next year | 0 | 0% | 0 | 0% | 1 | 3% |
No – Explain | 22 | 67% | 22 | 69% | 14 | 47% |
No – No explain | 3 | 9% | 4 | 13% | 12 | 40% |
33 | – | 32 | – | 30 | – |
In 2016 and in 2018, all Dutch AEX-listed companies had an internal audit function. In two companies, the internal audit function is also responsible for second-line activities related to (Enterprise) Risk Management.
Moreover, in 2016 all AEX-listed companies with their registered office outside the Netherlands, also have an internal audit function. In 2018 one AEX-listed company did not have an internal audit function. This Belgian based company has indicated to establish an internal audit function in the course of 2019. Time will tell, with the coming annual report of 2019.
In 2018, only one AMX-listed company does not have an internal audit function. This is part of a positive trend, since two years earlier four Dutch AMX-listed companies did not establish an internal audit function. In their annual report 2018, this company states: “Due to its size, the Company has no internal audit department.”
Two companies have (partly) outsourced their internal audit function to a third party. They give no further explanation on this.
In 2016 the scope of the internal audit function of one Dutch AMX-listed company was limited to “operational audits for the project business”. In 2018 the internal audit function has broadened its scope, comprising the internal control framework of the entire company. One company has chosen for a situation where the chief audit executive
Interesting developments can be seen in this index of smaller companies, where 57% of Dutch AScX-listed companies have established an internal audit function. A substantial increase compared to 39% in 2016. And this number will continue to grow, as one AscX-listed company has indicated that an internal audit function will be established in the course of 2019.
Risk and internal audit are combined under one responsible person at one of the companies. Two companies have outsourced their internal audit function to a third party, without further explanation.
Two out of four AScX-listed companies with its registered office outside the Netherlands have an internal audit function. One Belgium based company has also indicated to establishing an internal audit function. Only one company – German based – gave no explanation for not having an internal audit function.
In 2018 only 24% of local companies have established an internal audit function, which is still a substantial increase compared to the 10% in 2016. Moreover, only three companies gave no explanation for not having an internal audit function. This is a substantial decrease compared to the twelve companies in 2016 giving no explanation. We will explore the quality of the (twenty two) explanations for not establishing an internal audit function in section 4.3 Quality of explanation of non-compliance.
Two companies have outsourced their internal audit function. Both companies do not give an explanation for this choice.
One company indicated that the internal audit function has been assigned to the financial controller, the group controller and the CFO, supported by the risk, insurance & compliance manager. One could argue if this is to be considered an internal audit function. Since the organization considers this to be an internal audit function itself, we categorized it as such. In the Internal Audit Monitor 2019 we did assess to what extent the best practice provisions in the Code relating to the internal audit function were complied with, which was almost none.
The Code states that deviations from the Code should be made explicitly clear in a separate chapter of the management report or published on the company’s website. Virtually all companies that must comply with the Code indicate to what extent they are compliant with the Code.
In the Internal Audit Monitor 2019 we researched – based on public records – the extent to which companies demonstrably comply with the internal audit principles in the Code on this subject. In this section we focus on the extent of compliance and potential explanation of adherence to principle 1.3.6. Absence of an internal audit department.
Some background is useful in considering the explanations companies offer for not having an internal audit function. Broadly speaking, the overarching goal of the Code is that companies must aim for long term value creation, which implies sound decisions based on conscious and careful consideration of risks and benefits. That’s when risk management and control systems come into place and where internal audit provides independent assurance on the effectiveness of the processes of governance, risk management and internal control.
In some cases, for example the New York Stock Exchange, having an internal audit function is mandatory. At Euronext Amsterdam this is not mandatory. The Code comprises a best practice principle for organizations that deviate from having an internal audit function:
“1.3.6 Absence of an internal audit department
If there is no separate department for the internal audit function, the supervisory board will assess annually whether adequate alternative measures have been taken, partly on the basis of a recommendation issued by the audit committee, and will consider whether it is necessary to establish an internal audit department. The supervisory board should include the conclusions, along with any resulting recommendations and alternative measures, in the report of the supervisory board.”
Part of this principle based approach is the so-called comply or explain principle: companies that nevertheless do not set up an internal audit function must explain their choice. They should elaborate on what alternative measures are in place to ensure the board obtains independent assurance on the company’s governance, risk management and control systems. The effectiveness of the comply or explain principle has been questioned in academic literature (see amongst other:
The Code gives guidance in how to explain non-compliance by stating “…and provide a substantive and transparent explanation for any departures from the principles and best practice provisions”. The monitoring committee subsequently expressed criteria for good explanations of any deviations of the provisions of the Code (
“(…) the explanation of any departures should in any event include the following elements:
Our research gives insight in the quality of the explanation for not establishing an internal audit function. To measure this objectively, an explanation should include the following elements: a description of the alternative measure that was taken and either (i) an explanation of how that measure attains the purpose of the principle or the best practice provision or (ii) a clarification of how the measure contributes to good corporate governance of the company.
We have classified the explanations of all companies that depart from best practice provision 1.3.6 and need to provide an explanation for not having established an internal audit function. We applied the classification scale in our research and assessment of given explanations included in Table
Rating scale for explanations for the absence of an internal audit function.
Rating scale (from high to low quality) | Description |
---|---|
Explained evaluative | There is a description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems and: |
– either an explanation of how that measure attains the purpose of the principle or the best practice provision; or | |
– a clarification of how the measure contributes to good corporate governance of the company.*) | |
Explained argumentative | There is a description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems. |
Explained informative | There is an explanation provided for not having an internal audit function, but not mentioned are the – specific - alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems. |
Explained incorrect | There is an explanation provided, however there is no description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems nor an explanation given for not having an internal audit function. |
Not explained | There is no mentioning of an internal audit function nor is it mentioned that there is no internal audit function. |
Quality of compliance to best practice provision 1.3.6 at Dutch listed companies in the Netherlands.
Best practice provision 1.3.6 Absence of an internal audit department | AEX | AMX | AScX | Local | Total |
---|---|---|---|---|---|
Not explained | – | – | – | – | 0 |
Explain incorrect | 1 | 4 | 5 | ||
Explain informative | 1 | 3 | 15 | 19 | |
Explain argumentative | 3 | 4 | 7 | ||
Explain evaluative | 2 | 1 | 3 | ||
Total | 1 | 9 | 24 | 34 | |
Not Applicable | 21 | 21 | 12 | 9 | 63 |
Total | 21 | 22 | 21 | 33 | 97 |
Five companies gave no real explanation for not having an internal audit function. One company explained:
“It is the opinion of the Supervisory Board that, at present, there is no need for an internal audit function in the Company.”
Another company just repeated the principle, without given a real explanation:
“[…] the supervisory board will assess annually whether adequate alternative measures have been taken and will consider whether it is necessary to establish an internal audit department.”
The majority (29 out of the 34 companies: 85%) explain
“Given the size of the company, [company] currently has no internal audit service.”
Some provide a more extensive explanation, but do not mention the specific alternative measures taken (translated from Dutch):
“Given its size, the company does not have a separate internal audit function. Following the assessment by the Board of the internal control system and the findings of the external auditor in this regard, the Board believes that the introduction of an internal audit function is not necessary.”
“In the Supervisory Board’s opinion [company] risk profile has not changed. It is encouraging to note that the different companies are well positioned for the future. Attention was paid to the risk-management system and this did not produce any singularities. This evaluation also showed that [company] is not large enough to warrant it having its own internal audit function. The Group Management Board and the Management Boards of the operating companies should be complimented for their success with further developing the companies.”
Seven companies give a more illustrative explanation, about the alternative measure(s) that are established to assure the board obtains independent assurance on the company’s governance, risk management and control systems. Examples include certain financial and operational activities being carried out on an ad-hoc basis by an external service provider, self-assessments, peer reviews, certain ISO or NEN certificates. Also culture of an organization is sometimes mentioned as an alternative mitigating ‘control measure’.
Only three companies provide extensive reasoning that meet the standard as set forth by the Code. They not only set out a description of the alternative measures that were taken, but also explained how the measures attain the purpose of the principle and/or how the measures contributes to good corporate governance of the company. In our opinion the explanation below is a good example and best practice explanation:
“Considering the size of the Group and based on a cost benefit analysis, [company] had not established an internal audit department. The company has taken the following alternative measures to mitigate the absence of an internal audit department:
The Board has assessed the alternative measures performed together with any resulting findings and recommendations and concluded that the findings did not result in any material deficiencies to [company] internal control system. Hence the Board considers the alternative measures performed sufficient for not establishing an internal audit department.”
Internal audit functions of Dutch listed companies in the Netherlands come in many flavors, ranging from fully-fledged reasonably large independent functions to functions that only partly have the characteristics of internal audit to combinations with risk management.
Since the revised Code came into effect as of 2017, the number of internal audit functions has increased. Also, the number of companies that offer an explanation for not installing an internal audit function significantly increased. A positive effect that can be attributed to the internal audit related principles in the Code.
Only a few organizations provide no real explanation and in some cases the reasoning is simply circular (“we don’t have an internal audit function, because we found that we don’t need an internal audit function”). The majority offers an explanation, however only few of them meet the standards for explaining that have been laid down by the Code.
Although we did not apply our own opinion on argumentative strength, we do want to share our thoughts on one of the most cited arguments for not having an internal audit function: “the size of the organization”. The explanatory notes to the Code by the monitoring committee give guidance in this respect:
“The basic principle is that companies should establish their own internal audit department to undertake the internal audit function. In the event of a departure from this principle, for example if the size of the company is not suited to this, outsourcing may be an appropriate alternative. In case of outsourcing, the supervisory board and the audit committee will remain involved in the execution of the internal audit function, as stipulated in best practice provisions 1.3.1 to 1.3.5, inclusive.”
This learns that the monitoring committee does not perceive size of the company being an appropriate argument for not having an internal audit function. As stated, size of the company may be a reason for outsourcing to be considered an appropriate alternative.
The number of Dutch listed companies in the Netherlands with an internal audit function is increasing in the years 2016 through 2018. Over the last three years smaller listed companies increasingly have established an internal audit function. For the year 2018 we found that only a quarter of these companies provided evaluative arguments in their explanation for not having an internal audit function. The majority do not meet the standards as set forth by the Code, and give either no or a very limited explanation for not having an internal audit function.
The main argument provided is that these companies simply consider themselves too small for establishing an internal audit function. As a result, these organizations run the risk of not fully understanding the effectiveness of their risk management, control and governance processes and evaluating and improving them. Companies without an internal audit function lack, among other things, independent and expert insight for the management and supervisory board and opportunities for organizational improvement.
The perception often is that internal audit employee(s) must be permanently employed to be able to speak of a credible internal audit function. However, that is a misunderstanding. There are other feasible and cost efficient solutions. In our opinion companies are never too small for an internal audit function as they can also opt for an internal audit function through co- and outsourcing in line with the recommendation of the monitoring committee. The most frequently mentioned advantage of working with an external service provider is flexibility. By combining an internal chief audit executive supplemented with external specialists, it is feasible to both control costs and obtain access to flexibility and specialist knowledge. Internal auditors are then only deployed if necessary. Co-sourcing and outsourcing also can be a solution for providing the internal audit function in a cost-efficient manner with a limited number of employees.
It would be a missed opportunity if misperceptions about the costs and value of an internal audit function would lead to wrong decisions by management boards of organizations. Therefore we emphasize the importance of a good quality explanation and agree with King IV (the South African corporate governance code) that “comply and explain” is better than “comply or explain”. They explain this by stating that:
“Explanation also helps to encourage organisations to see corporate governance not as an act of mindless compliance, but something that will yield results only if it is approached mindfully, with due consideration of the organisation’s circumstances.”
As a result board members actively will have to elaborate on how the board obtains independent assurance on the company’s governance, risk management and control systems.
Based on our research, we found that there are different possibilities for further research that would provide interesting insight into the added value of the internal audit function.
Drs. Robert Bogtstra RA CIA is partner bij FSV Risk Advisory sinds april 2012 en universitair docent Corporate Governance en Advanced Auditing bij Nyenrode Business Universiteit. Hiervoor was Robert verantwoordelijk voor Jefferson Wells Nederland en werkzaam in de adviespraktijken van PwC en KPMG.
Mr. Inge Garretsen RO EMIA is juriste en operational auditor. Ze is sinds februari 2019 werkzaam voor FSV Risk Advisory en heeft ervaring in zowel internal audit als proces control. Daarnaast is zij vice-voorzitter bij de IIA Young Professionals commissie.
Drs. Remko Renes RA is universitair docent corporate governance bij Nyenrode Business Universiteit en lid van het Center for accounting, auditing & control en het Nyenrode Corporate Governance Instituut. Hij heeft sinds 2010 verschillende monitoring onderzoeken naar de naleving van governance codes uitgevoerd.
Chief audit executive is usually the title for the person who is head of internal audit.
Two companies did not have such a separate “comply of explain” paragraph in their annual report or separate statement on the company’s website. These companies do however have an internal audit function and are therefore not further mentioned in this chapter.
A total of five explanations which were assessed as incorrect were excluded (see Table