Skip to content
News update

Q & A with Governance Institute

Megan Motto FGIA speaking with Catherine Maxwell FGIA FCG

How should companies and organisations set up reporting arrangements for the internal audit function – and who should the Head of Internal Audit report to?

The ‘textbook’ answer is that the Head of IA should report to the Chair of the Audit and Risk Committee with a dotted line to the CFO. However, there can be a range of different models depending on the size and complexity of the company. Some Heads of IA report only to the Audit and Risk Committee unless there’s a conflict-of-interest issue, while others also report to the CFO, Head of Risk or MD.

In most companies the Audit and Risk Committee provides input to the Head of IA’s performance and salary reviews and manages KPI setting. There is also usually a quarterly closed conversation between the Head of IA and the Audit and Risk Committee Chair.


Your company holds a reasonably large shareholding in another company. Your company has an employee (CEO) who sits on the board of that other company, as your company’s nominee. Director fees from this other board are paid directly to your company, not to your nominee director. Any legal issues with this?

It is very important to be clear about the arrangements from the outset. There can be complexity around accounting for fees with the employer and what is earned from the secondary role. Some nominees choose not to have a fee from the secondary role. Directors’ and officers’ indemnity insurance (D&O) is another consideration. Sometimes the director is covered by the secondary company’s D&O policy. In cases where there is no visibility of the other company’s D&O arrangements, it might be safer to cover the nominee director by the employer’s D&O Policy.

Another issue is whether the ATO may consider directors’ fees as ‘fees for service’ when they are paid to the employer and it would be prudent to obtain tax advice before entering into any arrangements.

A further consideration is in what capacity the director receives information in their role as a nominee director. Some companies specify in the deed of indemnity that the director receives information in their capacity as a director and there needs to be consent before sharing information with the nominating company.

Did you know ‘ethical’ hackers can now operate legally in Belgium?

Ethical hacking involves an authorised attempt to gain unauthorised access to a company’s systems, data or applications to test vulnerabilities. Ethical hackers use the same methods as cyber criminals. Some companies use ethical hackers for penetration testing.

As part of its national cybersecurity strategy, Belgium has now passed a law allowing ethical hackers to send information to the Belgian Center for Cybersecurity. Hackers must pass information to the owner of the system and the authority as soon as possible and must act without fraudulent intent or design to harm. They cannot charge for their services. This approach may be something to consider as Australia develops its own cybersecurity strategy 2023-2030.

Interview with Måns Carlsson OAM - The S in ESG – a view from Bangladesh

Next article