Integrate risk and audit too closely and you lose precisely the independent assurance that the board and supervisory body rely on. No one notices — until the external quality assessment arrives.
The tension in the model
Integrating risk management and audit sounds logical: less fragmentation, more coherence, lower costs. But anyone who does so without thinking through the implications quietly erodes the independence of assurance. The very foundation that the board and governing body need most.
In a classic Three Lines arrangement, the structure is clear. The first line executes, the second line supports risk management, Internal Audit provides independent assurance. Alignment with governance frameworks such as the IIA Global Internal Audit Standards (GIAS) and the Dutch Corporate Governance Code (CGC) is self-evident.
Once organisations pursue greater integration, the burden of proof shifts. That need not be a problem, provided you make deliberate choices and actively demonstrate how you meet professional standards.
Here lies the tipping point. Beyond a certain degree of integration, the organisation leaves the domain of professional standards and makes a deliberate governance choice. Both the CGC and broader governance thinking presuppose a recognisable, independent evaluation function. The less visible that function becomes, the harder it is to account for it to the supervisory board and shareholders.1
Cost pressure is a real driver in this trade-off. But costs do not override governance logic. They make the trade-off more explicit: what does the saving deliver, and what do you give up?
Four configurations
To see where it chafes, first the possible configurations. I distinguish four:
Configuration 1: Clear separation is the classic Three Lines arrangement. Role allocation is sharp, Internal Audit is formally and functionally independent and reports to the audit committee. High comfort on both GIAS and CGC compliance.
Configuration 2: Smart combination combines risk and audit in one department under one head. In practice a common and GIAS-permissible choice, provided it includes explicit preconditions and embedded safeguards. The CAE may coordinate risk management activities, but management remains the risk owner. Crucially: the CAE does not audit domains where they hold a coordinating role, and the dual role is transparently approved by the audit committee. This is a grey area that must be actively managed.2
Configuration 3: Silent drift is where the character of Internal Audit fundamentally tilts. The function is still formally called "audit", but in practice has become a management-directed investigation tool. The audit plan follows management priorities, not an independent risk assessment approved by the board and audit committee. Scope is determined by what the board wants to know at any given moment. IA participates in risk committees, steering groups and improvement programmes with substantive input. This makes it co-responsible for outcomes it is later expected to assess. The boundary between advising and assessing evaporates. Information provision to the audit committee effectively runs through the board. The problem is not structural but behavioural: Internal Audit no longer functions as a third line, but as an extension of the second. This is the point at which GIAS non-compliance begins. In practice, unfortunately also the configuration most tempting from a cost perspective.
Configuration 4: Governance on paper brings risk management almost entirely into the line. Internal Audit as a recognisable function disappears, or is so minimally staffed that systematic independent assurance is no longer possible. Outside GIAS, and contrary to what the CGC sets as a baseline expectation.3
Where configurations 3 or 4 chafe: two practical illustrations
The tension between cost pressure and governance comfort is concrete. Two practical illustrations show where things go wrong.
A listed company in the technology sector.
This company merged the internal audit function with the risk & compliance department under one combined head, as part of an efficiency programme. The audit plan is aligned annually with the CFO and then submitted to the audit committee for approval. In practice, however, audit planning closely follows the themes management considers priority: digital transformation, ERP implementation, working capital management. An independent risk assessment by the IAF itself, as required by GIAS Standard 9.4, barely takes place. The audit committee receives the reports, but the agenda is effectively set by the CFO.
This is configuration 3 in practice. Formally the function exists and reports to the audit committee. Functionally it has become a structured management tool. The company meets the letter of CGC best practice provision 1.3.1 (there is an "internal audit function"), but not the spirit.4 The five-yearly external quality assessment (best practice provision 1.3.2) will likely expose this.
A non-listed enterprise in logistics services.
This family-owned business has never had a formal internal audit function. The controller fulfils the second line: financial planning and control, risk identification and internal control over processes. The supervisory board is small, without a formal audit committee, and relies almost entirely on the controller and the external auditor for its information. An in-control statement has never been considered; the CGC does not apply.
This is configuration 4, but without the associated governance tension: the CGC does not apply, shareholders are family and accept the arrangement (and may not even be aware of the limitations). External regulators impose no requirements on the IAF. The only real test is whether the supervisory board considers itself sufficiently independently positioned vis-à-vis the board of directors. The moment this company attracts external financing, makes an acquisition or enters a regulated market, that picture tilts.
This contrast exposes a core point: the governance choice depends on the configuration itself and on the applicable assessment framework. Those who follow the CGC, voluntarily or by obligation, have less room to manoeuvre than those who do not. And once CGC obligations have been accepted, they cannot be selectively ignored when it becomes cheaper.
Three friction points
The control foundation
Integration or weakening of the audit function only works if the first and second lines are mature enough to rely upon. In both practical illustrations above, the independent assurance that could underpin that reliance is absent.
The In Control Statement trajectory
An In Control Statement (ICS) is the board's formal declaration that internal risk management and control systems function adequately. It is the capstone of a mature control system. When Internal Audit shifts towards a board-directed investigation tool, one of the most important sources of independent assurance underpinning that statement disappears. Today's cost saving creates tomorrow's governance debt.
The accountability relationship
Those who apply the CGC have committed themselves to shareholders, regulators and other stakeholders. Configuration 3 or 4 sits poorly with that commitment. Cost pressure is not sufficient justification.
The logical direction for an organisation that has accepted governance obligations is strengthening configuration 2, not simplification towards 3. Those who wish to save on governance arrangements must first establish what the organisation gives up, and whether the supervisory board and shareholders are prepared to bear that risk once the external assessment comes.
Why does GIAS serve as the standard for Internal Audit?
Is GIAS referenced in the CGC? No.
The CGC 2022 does not mention the IIA or GIAS by name. Principle 1.3 describes the tasks and position of the internal audit function, but does not prescribe a specific standard. Substantively, however, the CGC has progressively converged with IIA standards: in 2022, elements such as an independent five-yearly quality assessment and the audit committee as functional reporting line were explicitly incorporated. These are provisions that directly align with what GIAS has long required.
Why then does GIAS nevertheless serve as the standard?
First, GIAS is the global professional standard: "All internal audit functions are expected to be in conformance with the Global Internal Audit Standards" (IIA, 2024). Those who present themselves as an IAF are bound by this standard. Whether the CGC references it is irrelevant.
Second, the CGC (best practice provision 1.3.2) requires the IAF to be periodically assessed externally by an independent third party. That assessment — in practice an External Quality Assessment — is always conducted against GIAS. CGC obligation and GIAS are therefore functionally inseparable, even though the name does not appear in the code.
Can other standards be used?
In theory, yes. Alternatives that occasionally surface: ISAE 3000 (assurance engagements), ISO 9001 (process assurance), the Dutch Government Internal Audit Reference Framework and sector-specific frameworks such as those of the Dutch Central Bank (DNB). But in practice: those operating as an IAF within a CGC context can hardly avoid GIAS. An IAF using an alternative framework must explain why that framework offers equivalent protection for independence, objectivity and quality.
Configurations and governance comfort — overview
| Configuration | Characteristic | GIAS | CGC | Governance comfort |
|---|---|---|---|---|
| 1. Clear separation Classic Three Lines |
Clear role allocation; audit formally and functionally independent | High | High | High — structure speaks for itself |
| 2. Smart combination Risk & audit combined |
One department; independence explicitly safeguarded via audit committee | Medium-high grey area | Medium-high | Defensible if actively managed and transparently accounted for |
| 3. Silent drift IA as board instrument |
IA follows management agenda; functionally no longer a third line | Non-compliant GIAS | Low — tipping point CGC | Friction: control incomplete; ICS virtually impossible; CGC gap widens |
| 4. Governance on paper Minimal assurance |
Risk management in the line; IA disappears as recognisable function | Outside GIAS | Deliberate choice required | Untenable: contrary to CGC; supervisory board without independent information position |
Cost pressure is a real driver towards configuration 3 or 4, but not an argument that overrides governance logic. Those who have accepted governance obligations cannot selectively ignore them when it becomes cheaper. That conversation starts at the audit committee.
Notes
1 CGC 2022, Principle 1.3 / best practice provision 1.3.1: "The internal audit function is tasked with assessing the design and operation of the internal risk management and control systems. The board is responsible for the internal audit function. The supervisory board oversees the internal audit function and maintains regular contact with the person fulfilling that function." Explanation to best practice provision 1.4.3: "The board's statement on risk management does not provide absolute assurance but rather management of material risks appropriate to the strategy and risk appetite." (CGC 2022)
2 GIAS 2024, Standard 7.1 (Organizational Independence): "If the objectivity of the chief audit executive is impaired in fact or appearance, the chief audit executive must disclose the impairment to the board." Considerations for Implementation at Standard 9.4: "If ERM reports through IA, an external review of ERM would need to be performed to preserve objectivity." (KPMG GIAS analysis 2024)
3 GIAS 2024, Domain I: "The internal audit function is independently positioned with direct accountability to the board. Internal auditors are free from undue influence and committed to making objective assessments." CGC 2022, best practice provision 1.3.4: "Where the company does not have an internal audit function, the supervisory board shall annually assess whether adequate alternative measures have been taken and whether there is a need to establish an internal audit function."
4 CGC 2022, best practice provision 1.3.2: "The internal audit function must prepare its own work plan after consultation with the board, the audit committee and the external auditor. The board and the supervisory board must approve the work plan." See also GIAS 2024, Standard 9.4: "The IA plan must be based on a documented assessment of the organization's strategies, objectives and risks. The IA function should only rely on management's information about risks if IA has concluded that the organization's risk management processes are effective."
Housing associations: a distinctive position
The controller at housing associations: a distinctive position
A different reference framework: the Housing Associations Governance Code 2025
Housing associations do not fall under the CGC but under the Housing Associations Governance Code (Aedes/VTW). The most recent version took effect on 1 January 2025. The code has five principles. Principle 5 addresses risk management: "Housing associations face significant (financial) risks. The board is responsible for sound risk management and the supervisory board oversees this." Provision 5.3 requires the board to provide the supervisory board with all relevant information for oversight of risk management. A mandatory internal audit function is not prescribed by the code. The Housing Authority (Aw) exercises external supervision and considers adherence to the Governance Code in its risk assessment.
The role of the controller
At most housing associations, the controller fulfils the second-line role, sometimes combined with a risk management function. A distinct third line in the form of an internal audit function is often absent, particularly at smaller and mid-sized associations. The controller is therefore in practice the sole internal assessor of internal control. That position is functionally vulnerable: the controller typically reports to the managing director, not functionally to the supervisory board or audit committee. When the controller also assumes the internal audit role, second and third lines are effectively combined in one person, without the explicit safeguards that GIAS requires for role combinations.
What does this mean for the configuration choice?
For housing associations, configuration 3 (silent drift) is not a future risk but often existing practice: the controller as a board-directed instrument, without a formally independent audit body. Understandable given the size and resources of many associations, but it demands deliberate compensating measures: a strong audit committee within the supervisory board, active involvement of the external auditor in internal control matters, and where possible periodic external quality assessment of the control function. Associations that opt for configuration 2 (controller and risk management combined, with explicit safeguards for the independence of the assurance function towards the supervisory board) are in the most defensible position.
How can Audirium help?
The line between risk and audit is shifting. That demands clear agreements on roles, independence and mandate. I help draw that line sharply, with an eye for best practices and creative solutions that fit your organisation.
- CGC/VOR baseline assessment and gap analysis — where does your organisation stand relative to the Corporate Governance Code and the requirements for a VOR-ready audit function?
- Positioning and mandate advisory — charter review and independence analysis in conformance with GIAS Domain III and Essential Conditions
- Governance assessment — roles of the board, risk and audit clearly mapped, with concrete recommendations
- Three Lines implementation — practical translation of the IIA Three Lines Model to your organisation
- Best practices and creative solutions — no standard advice, but solutions that work within your governance structure and culture
Want to know how I can clarify the relationship between risk and audit in your organisation? Get in touch →