In most modern organisations, governance is often described using some form of “three lines” model. The governing body (board or equivalent) provides direction and oversight; management, risk and compliance functions design and operate processes and controls; and internal audit provides independent assurance and insight on how well all of this is working in practice.
This article explores how internal audit can practically assess and enhance governance across different dimensions. It is deliberately principles‑based and focuses on the day‑to‑day work of internal auditors and how we can consciously adopt a governance lens in every engagement.
Viewing Governance as an Integrated System
Governance does not reside in a single policy, committee, or document. It emerges from the combined effect of strategic decision‑making, risk oversight, culture and ethics, performance and incentives, the quality of information, and the way assurance and oversight actors coordinate their efforts. When an incident occurs – whether a conduct issue, a major operational outage, or a regulatory breach – post‑mortems almost always reveal weaknesses across several of these elements rather than one isolated failure.
Internal audit adds most value when it recognises and articulates these connections. Instead of reporting a series of narrow control gaps, auditors can show how weaknesses in governance – for example, unclear accountability, weak challenge in decision‑making or poor risk communication – made those gaps more likely and their impact more severe. This systemic view is at the heart of a governance‑focused internal audit function.
Conditions for an Effective Governance-focused Internal Audit function
Before internal auditors can credibly comment on governance, the function itself must be well‑positioned within the governance framework. Several conditions are particularly important across jurisdictions.
First, internal audit needs a clear mandate and scope that is formally approved by those charged with governance. An internal audit charter, or equivalent, should set out the purpose, authority and responsibilities of the function and make explicit its role in providing independent assurance on risk management, internal control and governance arrangements. In practice, this gives auditors the right – and obligation – to look beyond transactional controls and into how decisions are made, risks are overseen, and accountability is structured.
Second, organisational independence and unrestricted access to information are essential. Internal audit should report functionally to the board or audit committee and have full access to people, records and systems needed to perform its work. For staff auditors, this independence is felt when sensitive topics – such as culture, senior decision‑making or management performance – can be examined without undue pressure to soften messages or narrow scope.
Third, the function requires sufficient skills, resources and a risk‑based plan that gives appropriate coverage to governance‑related themes. As expectations expand to areas like ESG, digital resilience and AI governance, audit teams must develop capabilities to assess not only whether controls exist, but whether governance arrangements are keeping pace with emerging risks.
Finally, an effective relationship with the board or audit committee is critical. Regular, frank communication between the head of internal audit and non‑executive directors is a key mechanism through which governance insights are shared and acted upon. For individual auditors, this relationship influences the level of interest in governance‑themed findings and the support they receive when raising difficult messages.
How Internal Audit assesses Governance in practice:
Although governance is multi‑faceted, internal audit can approach it through six practical dimensions that can be applied in any sector.
1. Quality of Strategic and Operational Decision‑Making
Strong governance requires that important decisions are made through structured, transparent processes, informed by reliable information and subject to appropriate challenge. Internal audit can examine whether there is a clear framework for strategic and operational decisions, including defined approval levels, documented criteria, and evidence of options and risks being considered.
Typical procedures include reviewing board and committee papers and minutes, examining policy and delegation frameworks, and interviewing key executives about how major decisions were initiated and challenged.
Common findings include decisions taken on incomplete information, limited evidence of challenge, or inconsistent adherence to governance processes when timelines are tight. Recommendations may focus on strengthening decision templates, improving the quality of management information, or clarifying escalation routes for concerns.
2. Oversight of Risk Management and the Control Environment
Governance is closely tied to how risk is identified, assessed and managed. Internal audit evaluates whether the organisation has a coherent approach to risk management and whether the control environment is proportionate to the risks and aligned with the stated risk appetite.
In practice, auditors review risk registers, risk reports, and the processes used to update them; they assess how risk appetite is defined and cascaded; and they test whether key controls are designed and operating effectively. Thematic work can focus on specific risk categories such as financial crime, cyber security, or operational resilience, linking process‑level findings back to questions about risk governance and oversight.
Observations may highlight, for instance, that certain material risks are under‑represented in reporting, that tolerance levels are not clearly translated into operational limits, or that risk committees receive fragmented information. Internal audit can recommend improvements in governance structures, risk reporting and integration between first and second line risk activities.
3. Ethics, Values, and Culture
Ethical behaviour and a sound risk culture are central to good governance. Internal audit’s role is to provide insight into whether the organisation’s stated values and codes of conduct are reflected in practice, and whether mechanisms to encourage speaking up and address misconduct are effective.
Auditors may assess the design and implementation of ethics programmes, training, whistleblowing channels, and anti‑fraud controls. They can use survey results, HR data, hotline statistics and interviews to form a view on whether people feel able to raise concerns without fear of retaliation and whether breaches are dealt with consistently.
Findings in this area often involve gaps between tone at the top and behaviour in the middle, inconsistencies in disciplinary outcomes, or weak follow‑up on issues raised through speak‑up mechanisms. Recommendations might include enhancing communication around values, improving investigation processes or strengthening reporting of culture indicators to the board.
4. Performance Management, Incentives, and Accountability
Performance objectives, KPIs and remuneration structures can either reinforce sound governance or undermine it by encouraging excessive risk‑taking or short‑termism. Internal audit can examine whether performance management frameworks and incentive plans are aligned with the organisation’s risk appetite and conduct expectations.
Work in this area may involve reviewing target‑setting processes, scorecards and bonus schemes, as well as examining how non‑financial risks and behaviours influence performance outcomes.
Issues may include targets that are difficult to achieve without compromising controls, limited linkage between risk/compliance outcomes and pay, or unclear ownership of significant risk exposures. Internal audit can recommend better integration of risk and culture metrics into performance frameworks and clearer documentation of roles and responsibilities.
5. Communication of Risk and Control Information
Effective governance depends on decision‑makers receiving timely, accurate and relevant information about risk and control. Internal audit can assess whether management information, risk reports and incident logs provide a reliable and complete picture to boards and senior management.
Audit procedures often include analysing the content and frequency of risk and performance reports, testing the accuracy of key metrics back to source data, and assessing whether reporting structures encourage escalation of issues rather than suppressing them. Auditors may also consider whether information is presented in a way that supports understanding and challenge, rather than overwhelming recipients with detail.
Typical findings include gaps in coverage of emerging risks, inconsistent definitions of metrics across reports, or delays in escalating significant incidents. Suggested enhancements might cover report rationalisation, better use of dashboards and data visualisation, or clearer thresholds for escalation and board notification.
6. Coordination of Assurance and Oversight Activities
Finally, governance benefits when assurance and oversight efforts are coordinated, avoiding duplication and blind spots. Internal audit can review how the board, risk and compliance functions, external audit and other assurance providers plan and share their work.
This may involve mapping assurance coverage across key risk areas, reviewing terms of reference and reporting lines, and holding discussions with other functions to understand how they prioritise and report their work. In many organisations, internal audit plays a leading role in developing an assurance map for the board.
Common issues include overlapping work on some risks and limited coverage of others, unclear responsibilities between first and second line functions, or limited sharing of findings across teams. Internal audit can recommend improved coordination mechanisms, such as regular assurance forums, integrated plans, and harmonised reporting to those charged with governance.
Elevating Internal Audit’s Role in Governance
A governance‑focused internal audit function goes beyond checking whether controls exist and operate; it asks what control weaknesses reveal about how the organisation is led, structured and overseen. This requires auditors to think at two levels: the immediate process, and the governance conditions that allowed issues to arise or persist.
Instead of reporting findings solely in operational terms, internal auditors can explicitly describe the governance implications – for example, noting that repeated control failures in a particular area suggest weak oversight, unclear accountability or insufficient challenge in certain committees. Over time, these insights can be synthesised into periodic messages to the board on recurring governance themes, such as the quality of risk information, the consistency of decision‑making processes or the effectiveness of culture initiatives.
This shift also involves a more forward‑looking stance. Governance is not just about avoiding failures; it is about positioning the organisation to manage new risks and seize opportunities responsibly. Internal audit can contribute by highlighting where governance frameworks may not yet reflect emerging areas such as ESG, digital resilience or AI, and by offering independent views on how governance structures could evolve.
Practical Steps for Internal Auditors
For individual internal auditors, embedding a governance lens does not require a complete reinvention of methodology. It does, however, call for conscious choices throughout the audit lifecycle.
During planning, auditors can explicitly identify which governance dimensions are most relevant to the area under review – decision‑making, risk oversight, culture, incentives, information, or assurance coordination – and design procedures that will yield insights on those aspects, not only on transactional controls.
During fieldwork, teams should capture observations that have governance implications, even if they are not yet fully crystallised into findings. Instances of weak challenge in meetings, inconsistent escalation, or conflicting interpretations of responsibility can be logged and discussed with the engagement manager or head of internal audit. These themes may be elevated to governance‑level commentary even if they do not align neatly with a single control deficiency.
In reporting, auditors can include at least a short statement in major findings summarising the governance impact – for example, “This issue indicates limited oversight of X risk at committee Y” – and, where appropriate, recommend improvements that address the underlying governance cause rather than only the local control symptom. Internally, audit teams can also invest in their understanding of local governance codes, regulatory expectations and leading practices within their sector, using professional and regulatory publications as ongoing sources of insight.
Conclusion: Internal Audit as a Governance Ally
Across jurisdictions and sectors, good governance shares common foundations: sound decision‑making, effective risk oversight, healthy culture and ethics, aligned incentives, high‑quality information, and coordinated assurance. Internal audit is uniquely positioned to see across these elements, connect insights from different parts of the organisation, and provide independent, evidence‑based views to boards and regulators.
By embracing a governance lens in every engagement, internal auditors can move beyond a narrow focus on control compliance to become trusted allies of those charged with governance.
