Good corporate governance has been widely discussed in the past decade. In the public debate, it has become clear that many experts agree that an internal audit function is an essential part of good governance. A Position Paper of the Institute of Internal Auditors “Internal auditing’s role in corporate governance” (2018) states that “internal audit’s role in governance is vital. Internal audit provides objective assurance and insight on the effectiveness and efficiency of risk management, internal control, and governance processes.” Different corporate governance codes (e.g. United Kingdom (2018), Belgium (2020), South Africa (2016), Norway (2018), Portugal (2016) etc.) all mention the importance of an internal audit function as part of good governance. The revised Code of the Netherlands (2016) also underlines that vision.

In this section we provide insight into the internal audit function in practice and into the nature and composition of the internal audit function with Dutch listed companies in the Netherlands for the years 2016 through 2018. We classified their nature and composition based on their characteristics using the categorization included in Table 1, in line with the categories applied in the Internal Audit Monitor 2017.

The research entails companies listed at Euronext Amsterdam with its registered office in the Netherlands. The Dutch Code formally does not apply to companies with its registered office outside the Netherlands. However, we are of the opinion that an internal audit function is a valuable building block of good corporate governance for comparable companies, regardless the location of the registered office. Therefore, we at times also provide insight into Euronext Amsterdam listed companies with their registered office outside the Netherlands.

Table 1.Download as CSV 

Categories of internal audit functions.

Categories	Description
Yes – Internal	A full independent internal audit function is in place, where internal auditor(s) are employed by the company and report to the board of the company. Internal audit is concerned with providing insight and assurance on important control measures and on the system of internal control in general.
Yes – Outsourced	Full outsourcing of the internal audit function to a third party or where the head of internal audit is outsourced to a third party.
Yes – Combination	Second line and third line activities are the responsibility of one person (often the head of internal audit).
Yes – Different	The scope of the internal audit function is limited. Only part of the company’s system of internal control is in scope of the internal audit function.
No – Next year	It is mentioned that the organization will start with an internal audit function in the coming year.
No – Explain	An explanation and/or reason for not having an internal audit function is given.
No – No explain	There is no mentioning of an internal audit function or it is mentioned that there is no internal audit function without giving an explanation and/or reason for not having one.

The number of internal audit functions increased steadily during the years 2016 through 2018. In 2016 53% of listed companies have an internal audit function. At year-end 2018 this percentage has increased to 64%, as is shown in Figure 1 and Table 2.

Figure 1.

Nature and composition of the internal audit function at listed companies in the Netherlands for the years 2016–2018.

Table 2.Download as CSV 

Internal audit function at listed companies in the Netherlands in the years 2016–2018.

Euronext listed companies with registered office in the Netherlands	2018		2017		2016
Yes – Internal	51	53%	46	48%	41	43%
Yes – Outsourced	6	6%	7	7%	4	4%
Yes – Combination	4	4%	5	5%	5	5%
Yes – Different	1	1%	2	2%	1	1%
No – Next year	1	1%	1	1%	7	7%
No – Explain	31	32%	32	33%	24	25%
No – No explain	3	3%	4	4%	14	15%
Total	97	–	97	–	96	–
IAF	62	64%	60	62%	51	53%
no IAF	35	36%	37	38%	45	47%

This trend continued in 2019 since already one company has indicated that an internal audit function will be established in 2019.

Combined with foreign registered listed companies a total of 65% – compared to 54% in 2016 – of the companies have established an internal audit function. More than half (53%) have an in-house independent internal audit function. Other companies have internal audit functions with different characteristics, such as internal audit combined with risk management or an outsourced internal audit function.

Still 36% of all Dutch listed companies in the Netherlands do not have an internal audit function. In 2016, 15% offered no explanation, in 2018 this figure dropped to 3%. However, most companies still offer arguments for this choice. For more details we refer to section 4.3 Quality of explanation of non-compliance.

In the first year after the revised Code came into force, in 2017, eight new internal audit functions were established at Dutch listed companies in the Netherlands. In the course of 2018 – the second year – two more companies followed and established an internal audit function.

Hereafter we will provide more detailed insight into the nature and composition of the internal audit function per index. Table 3 comprises the composition of all Euronext listed companies with its registered office in the Netherlands, categorized as per manifestation of internal audit function and per listing.

Table 3.Download as CSV 

Internal audit function at listed companies as per Stock Exchange Index in the years 2016–2018.

Euronext listed companies with registered office in the Netherlands	2018		2017		2016
AEX
Yes – Internal	19	90%	19	90%	19	90%
Yes – Outsourced	0	0%	0	0%	0	0%
Yes – Combination	2	10%	2	10%	2	10%
Yes – Different	0	0%	0	0%	0	0%
No – Next year	0	0%	0	0%	0	0%
No – Explain	0	0%	0	0%	0	0%
No – No explain	0	0%	0	0%	0	0%
	21	–	21	–	21	–
AMX
Yes – Internal	18	81%	16	72%	13	59%
Yes – Outsourced	2	9%	3	13%	3	13%
Yes – Combination	1	5%	1	5%	1	5%
Yes – Different	0	0%	1	5%	1	5%
No – Next year	0	0%	0	0%	2	9%
No – Explain	1	5%	1	5%	2	9%
No – No explain	0	0%	0	0%	0	0%
	22	–	22	–	22	–
AScX
Yes – Internal	9	42%	8	36%	7	30%
Yes – Outsourced	2	10%	3	14%	0	0%
Yes – Combination	1	5%	1	5%	2	9%
Yes – Different	0	0%	0	0%	0	0%
No – Next year	1	5%	1	5%	4	17%
No – Explain	8	38%	9	40%	8	35%
No – No explain	0	0%	0	0%	2	9%
	21	–	22	–	23	–
Local
Yes – Internal	5	15%	3	9%	2	7%
Yes – Outsourced	2	6%	1	3%	1	3%
Yes – Combination	0	0%	1	3%	0	0%
Yes – Different	1	3%	1	3%	0	0%
No – Next year	0	0%	0	0%	1	3%
No – Explain	22	67%	22	69%	14	47%
No – No explain	3	9%	4	13%	12	40%
	33	–	32	–	30	–

In 2016 and in 2018, all Dutch AEX-listed companies had an internal audit function. In two companies, the internal audit function is also responsible for second-line activities related to (Enterprise) Risk Management.

Moreover, in 2016 all AEX-listed companies with their registered office outside the Netherlands, also have an internal audit function. In 2018 one AEX-listed company did not have an internal audit function. This Belgian based company has indicated to establish an internal audit function in the course of 2019. Time will tell, with the coming annual report of 2019.

In 2018, only one AMX-listed company does not have an internal audit function. This is part of a positive trend, since two years earlier four Dutch AMX-listed companies did not establish an internal audit function. In their annual report 2018, this company states: “Due to its size, the Company has no internal audit department.”

Two companies have (partly) outsourced their internal audit function to a third party. They give no further explanation on this.

In 2016 the scope of the internal audit function of one Dutch AMX-listed company was limited to “operational audits for the project business”. In 2018 the internal audit function has broadened its scope, comprising the internal control framework of the entire company. One company has chosen for a situation where the chief audit executive¹ also is responsible for second-line activities.

Interesting developments can be seen in this index of smaller companies, where 57% of Dutch AScX-listed companies have established an internal audit function. A substantial increase compared to 39% in 2016. And this number will continue to grow, as one AscX-listed company has indicated that an internal audit function will be established in the course of 2019.

Risk and internal audit are combined under one responsible person at one of the companies. Two companies have outsourced their internal audit function to a third party, without further explanation.

Two out of four AScX-listed companies with its registered office outside the Netherlands have an internal audit function. One Belgium based company has also indicated to establishing an internal audit function. Only one company – German based – gave no explanation for not having an internal audit function.

In 2018 only 24% of local companies have established an internal audit function, which is still a substantial increase compared to the 10% in 2016. Moreover, only three companies gave no explanation for not having an internal audit function. This is a substantial decrease compared to the twelve companies in 2016 giving no explanation. We will explore the quality of the (twenty two) explanations for not establishing an internal audit function in section 4.3 Quality of explanation of non-compliance.

Two companies have outsourced their internal audit function. Both companies do not give an explanation for this choice.

One company indicated that the internal audit function has been assigned to the financial controller, the group controller and the CFO, supported by the risk, insurance & compliance manager. One could argue if this is to be considered an internal audit function. Since the organization considers this to be an internal audit function itself, we categorized it as such. In the Internal Audit Monitor 2019 we did assess to what extent the best practice provisions in the Code relating to the internal audit function were complied with, which was almost none.

The Code states that deviations from the Code should be made explicitly clear in a separate chapter of the management report or published on the company’s website. Virtually all companies that must comply with the Code indicate to what extent they are compliant with the Code.² This is usually accompanied by a phrase in the sense of: “The organization endorses the importance of the Code and its principles for good corporate governance and applies – virtually – all best practices.” Which is then followed by “however ...”, “since ...”, “with the exception of ...”. Companies then mention a – limited – number of principles of which they indicate that they do not comply with.

In the Internal Audit Monitor 2019 we researched – based on public records – the extent to which companies demonstrably comply with the internal audit principles in the Code on this subject. In this section we focus on the extent of compliance and potential explanation of adherence to principle 1.3.6. Absence of an internal audit department.

Some background is useful in considering the explanations companies offer for not having an internal audit function. Broadly speaking, the overarching goal of the Code is that companies must aim for long term value creation, which implies sound decisions based on conscious and careful consideration of risks and benefits. That’s when risk management and control systems come into place and where internal audit provides independent assurance on the effectiveness of the processes of governance, risk management and internal control.

In some cases, for example the New York Stock Exchange, having an internal audit function is mandatory. At Euronext Amsterdam this is not mandatory. The Code comprises a best practice principle for organizations that deviate from having an internal audit function:

“1.3.6 Absence of an internal audit department

If there is no separate department for the internal audit function, the supervisory board will assess annually whether adequate alternative measures have been taken, partly on the basis of a recommendation issued by the audit committee, and will consider whether it is necessary to establish an internal audit department. The supervisory board should include the conclusions, along with any resulting recommendations and alternative measures, in the report of the supervisory board.”

Part of this principle based approach is the so-called comply or explain principle: companies that nevertheless do not set up an internal audit function must explain their choice. They should elaborate on what alternative measures are in place to ensure the board obtains independent assurance on the company’s governance, risk management and control systems. The effectiveness of the comply or explain principle has been questioned in academic literature (see amongst other: Arcot et al. 2010; Abma and Olaerts 2011; Nerantzidis 2015; Bianchi et al. 2011; Hooghiemstra and Van Ees 2011). We therefore wanted to research what the extent of compliance is of the current Code in the Netherlands under this principle.

The Code gives guidance in how to explain non-compliance by stating “…and provide a substantive and transparent explanation for any departures from the principles and best practice provisions”. The monitoring committee subsequently expressed criteria for good explanations of any deviations of the provisions of the Code (Monitoring Committee Corporate Governance Code 2016, p. 11).

“(…) the explanation of any departures should in any event include the following elements:

1. how the company departed from the principle or the best practice provision;
2. the reasons for the departure;
3. if the departure is of a temporary nature and continues for more than one financial year, an indication of when the company intends to comply with the principle or the best practice provision again; and
4. where applicable, a description of the alternative measure that was taken and either an explanation of how that measure attains the purpose of the principle or the best practice provision or a clarification of how the measure contributes to good corporate governance of the company.”

Our research gives insight in the quality of the explanation for not establishing an internal audit function. To measure this objectively, an explanation should include the following elements: a description of the alternative measure that was taken and either (i) an explanation of how that measure attains the purpose of the principle or the best practice provision or (ii) a clarification of how the measure contributes to good corporate governance of the company.

We have classified the explanations of all companies that depart from best practice provision 1.3.6 and need to provide an explanation for not having established an internal audit function. We applied the classification scale in our research and assessment of given explanations included in Table 4, which is derived from monitoring research of the Dutch Corporate Governance Code for the year 2013 (Renes et al. 2014).

Table 4.Download as CSV 

Rating scale for explanations for the absence of an internal audit function.

Rating scale (from high to low quality)	Description
Explained evaluative	There is a description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems and:
	– either an explanation of how that measure attains the purpose of the principle or the best practice provision; or
	– a clarification of how the measure contributes to good corporate governance of the company.*)
Explained argumentative	There is a description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems.
Explained informative	There is an explanation provided for not having an internal audit function, but not mentioned are the – specific - alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems.
Explained incorrect	There is an explanation provided, however there is no description of the alternative measure(s) that was taken to assure the design and the operation of the internal risk management and control systems nor an explanation given for not having an internal audit function.
Not explained	There is no mentioning of an internal audit function nor is it mentioned that there is no internal audit function.

*) Conforming to the Dutch Corporate Governance Code 2016, Chapter: Compliance with the Code, page 11.

Table 5.Download as CSV 

Quality of compliance to best practice provision 1.3.6 at Dutch listed companies in the Netherlands.

Best practice provision 1.3.6 Absence of an internal audit department	AEX	AMX	AScX	Local	Total
Not explained	–	–	–	–	0
Explain incorrect			1	4	5
Explain informative		1	3	15	19
Explain argumentative			3	4	7
Explain evaluative			2	1	3
Total		1	9	24	34
Not Applicable	21	21	12	9	63
Total	21	22	21	33	97

Five companies gave no real explanation for not having an internal audit function. One company explained:

“It is the opinion of the Supervisory Board that, at present, there is no need for an internal audit function in the Company.”

Another company just repeated the principle, without given a real explanation:

“[…] the supervisory board will assess annually whether adequate alternative measures have been taken and will consider whether it is necessary to establish an internal audit department.”

The majority (29 out of the 34 companies: 85%) explain³ their considerations. We classified these explanations as informative, argumentative and evaluative. Most explanations given are informative (in total 19 out of the 29 companies: 66%). The most commonly used “explanation” given is a simple statement mentioning the size of the organization or the statement that alternative measures were taken, without explaining the contents of these “alternative measures”. For example, by only mentioning the size of the organization (translated from Dutch):

“Given the size of the company, [company] currently has no internal audit service.”

Some provide a more extensive explanation, but do not mention the specific alternative measures taken (translated from Dutch):

“Given its size, the company does not have a separate internal audit function. Following the assessment by the Board of the internal control system and the findings of the external auditor in this regard, the Board believes that the introduction of an internal audit function is not necessary.”

“In the Supervisory Board’s opinion [company] risk profile has not changed. It is encouraging to note that the different companies are well positioned for the future. Attention was paid to the risk-management system and this did not produce any singularities. This evaluation also showed that [company] is not large enough to warrant it having its own internal audit function. The Group Management Board and the Management Boards of the operating companies should be complimented for their success with further developing the companies.”

Seven companies give a more illustrative explanation, about the alternative measure(s) that are established to assure the board obtains independent assurance on the company’s governance, risk management and control systems. Examples include certain financial and operational activities being carried out on an ad-hoc basis by an external service provider, self-assessments, peer reviews, certain ISO or NEN certificates. Also culture of an organization is sometimes mentioned as an alternative mitigating ‘control measure’.

Only three companies provide extensive reasoning that meet the standard as set forth by the Code. They not only set out a description of the alternative measures that were taken, but also explained how the measures attain the purpose of the principle and/or how the measures contributes to good corporate governance of the company. In our opinion the explanation below is a good example and best practice explanation:

“Considering the size of the Group and based on a cost benefit analysis, [company] had not established an internal audit department. The company has taken the following alternative measures to mitigate the absence of an internal audit department:

• For the international subsidiaries in the Tea segment, site visits by the Managing Director ad interim/Finance Director of the [subsidiary] are carried out. In 2018 site visits were organized at the [subsidiary] offices in Indonesia, Sri Lanka, Vietnam and Kenya. The site visits to Sri Lanka was also attended by the independent external Group auditor.
• In addition to these site visits, local audit firms are hired to perform audit procedures with a broader scope on top of their statutory and Group audit procedures.
• All subsidiaries are regularly visited by the Group Managing Director and by members of the Group Finance department. Topics that are addressed during those visits are financial and business performance, Group reporting and IFRS accounting, compliance to laws and regulations and internal control matters.

The Board has assessed the alternative measures performed together with any resulting findings and recommendations and concluded that the findings did not result in any material deficiencies to [company] internal control system. Hence the Board considers the alternative measures performed sufficient for not establishing an internal audit department.”

The perception often is that internal audit employee(s) must be permanently employed to be able to speak of a credible internal audit function. However, that is a misunderstanding. There are other feasible and cost efficient solutions. In our opinion companies are never too small for an internal audit function as they can also opt for an internal audit function through co- and outsourcing in line with the recommendation of the monitoring committee. The most frequently mentioned advantage of working with an external service provider is flexibility. By combining an internal chief audit executive supplemented with external specialists, it is feasible to both control costs and obtain access to flexibility and specialist knowledge. Internal auditors are then only deployed if necessary. Co-sourcing and outsourcing also can be a solution for providing the internal audit function in a cost-efficient manner with a limited number of employees.

It would be a missed opportunity if misperceptions about the costs and value of an internal audit function would lead to wrong decisions by management boards of organizations. Therefore we emphasize the importance of a good quality explanation and agree with King IV (the South African corporate governance code) that “comply and explain” is better than “comply or explain”. They explain this by stating that:

“Explanation also helps to encourage organisations to see corporate governance not as an act of mindless compliance, but something that will yield results only if it is approached mindfully, with due consideration of the organisation’s circumstances.”

As a result board members actively will have to elaborate on how the board obtains independent assurance on the company’s governance, risk management and control systems.

Based on our research, we found that there are different possibilities for further research that would provide interesting insight into the added value of the internal audit function.

• What is the real reason for smaller companies for not having an internal audit function (perceived bureaucracy, not enough added value, obstacle to innovation, immaturity, etc.)?
• Speaking of the latter, what can be said about the relationship with the maturity of the company (estab lished company, scale-up, etc.)?
• And are companies with an internal audit function more effective or more successful than companies without an internal audit function (revenue, year to year growth, top player in own market, sustainability, etc.)?