An internal auditor for Ajax? Shot in front of goal

A little observant reader must have seen it: due to an administrative error, Ajax's new millionaire striker Sébastien Haller has not been included in the player list for the Europa League and therefore may not play in this important competition this season. 'This is a detail with very big consequences,' coach Ten Hag said. A lot is expected of the striker. For imaging purposes: with a transfer fee of 22.5 million euros, it is the most expensive purchase ever made by a Dutch club!

How can such a thing happen, one wonders, when there are such stakes involved? Getting as far as possible in the Europa League generates millions. Surely, with an annual turnover of 162 million, these are considerable sums. I immediately started looking at Ajax's annual report. What about risk management and internal audit? After all, it is a listed company and the Corporate Governance Code applies.

In the 2019/2020 annual report, you will find a comprehensive risk paragraph focusing on the Corporate Governance Code according to the "comply or explain" principle. The 10 most important risks are neatly listed, including the corresponding control measures. There is also a three lines model, but there is something crazy about that. The managers are the 1st line of defense. The 2nd line of defense are the Finance & Control and Legal & Compliance departments. So there is no specific risk management function (which is not necessarily an issue). What is strange: the Finance & Control department also has a role as internal auditor, the 3rd line of defense, along with the external auditor. Quote from the risk paragraph: "The SB and the audit committee conclude that the '3rd line of defense' functions properly and therefore no separate internal auditor is needed."

You're not going to see it until you realize it

It is not clear from the annual report whether there is separation within the Finance & Control department between those performing the^2nd line work and the^3rd line work, but it is clear that the governance system failed at a critical point. Was the risk never identified, was no control measure defined, or did it never work? Hindsight is the cow in the ass, but perhaps a separate function of risk manager and a function of internal auditor is not such a crazy idea after all? In the words of a great Ajax player: "You only see it when you realize it". That certainly applies to internal control as well.

As a lover of these fields and soccer (of Ajax), I am happy to offer Ajax our services and to compensate a little bit for the setback of the Haller case, at a reduced rate. A sparring session about a thorough and efficient organization of the three lines is always possible.

The latter, of course, also applies to other organizations. Please feel free to contact us at marc@arcpeople.nl or 06 52 07 31 62.