Governance Audit vs. Legal Audit: Understanding the Distinction in Kenya’s Corporate Framework
In Kenya’s evolving regulatory landscape, the terms governance audit and legal audit are sometimes used interchangeably yet they are distinct instruments, each with its own scope, practitioner, frequency, and regulatory mandate. Understanding the difference is not merely academic; it has direct implications for board responsibility, regulatory compliance, and institutional credibility.
Defining the Two Audits
The Governance Audit is an annual, independent assessment of a company’s adherence to sound corporate governance practices. As defined by the Capital Markets Authority (CMA) in its Frequently Asked Questions on the Code of Corporate Governance Practices for Issuers of Securities to the Public, 2015, it evaluates the extent to which a company complies with the governance standards set out in the Code, covering areas such as board leadership, transparency, stakeholder engagement, board systems, and general compliance with applicable laws. It must be conducted by a Governance Auditor accredited by the Institute of Certified Public Secretaries of Kenya (ICPSK) once every two years (biennially).
The Legal and Compliance Audit is a focused examination of a company’s adherence to the laws and regulations applicable to it, including national and county legislation, regulatory guidelines, and international standards. Unlike the governance audit, which sweeps across the entire governance architecture, the legal audit is principally concerned with legal compliance. It must be carried out by a legal professional in good standing with the Law Society of Kenya (LSK) and is required at least once every two years (biennially). While internal legal compliance reviews are conducted annually, the external legal audit is on a biennial cycle.
Key Distinctions at a Glance
The table below summarises the core differences:
| Criterion | Governance Audit | Legal & Compliance Audit |
| Primary Focus | Overall governance practices & culture | Adherence to applicable laws & regulations |
| Conducted by | ICPSK-accredited Governance Auditor and Certified Secretary | LSK- Legal and Compliance Auditor |
| Frequency | Externally: biennially; | Externally: biennially; internally: annually |
| Authority | CMA Code of Corporate Governance, 2015 | CMA Code of Corporate Governance, 2015 |
| Legal assessment? | Included but not exhaustive | Primary and comprehensive |
| Outcome | Governance score/rating and opinion; board improvement plan | Compliance findings; non-compliance remediation |
The Regulatory Mandate: Who Must Comply and How Often?
Under Clause 2.7.3 of the CMA Code (2015), the following categories are mandated to conduct annual governance audits:
- All issuers of securities to the public, including companies listed on the Nairobi Securities Exchange (NSE)
- Unlisted public companies that have received CMA approval to issue securities to the public
- CMA-licensed intermediaries such as stockbrokers, investment banks, and fund managers
Beyond capital markets, governance audit obligations, or equivalent governance assurance requirements, are embedded across several other regulated sectors:
- Banking and microfinance institutions, regulated by the Central Bank of Kenya (CBK) under the Prudential Guidelines, which require robust governance frameworks and fit-and-proper assessments for boards
- Insurance companies, overseen by the Insurance Regulatory Authority (IRA), which prescribes governance requirements under the Insurance Act
- Pension schemes, regulated by the Retirement Benefits Authority (RBA) under the Retirement Benefits Act, with mandatory trustee governance and annual reporting obligations
- Deposit-taking SACCOs, regulated by SASRA under the Sacco Societies Act, which requires annual external audits and strict board governance standards including fit-and-proper declarations for all directors
State corporations and public entities are further subject to the State Corporations Act and the Public Finance Management Act, which embed governance reporting and audit obligations at the board level.
The International Dimension
Kenya’s bifurcated audit framework is consistent with global best practice. The King IV Report on Corporate Governance for South Africa, 2016, widely regarded as the benchmark for governance codes on the continent, operates on an “apply and explain” basis and distinguishes between the oversight of legal compliance (a board responsibility under Principle 13) and broader governance assurance.
King IV’s five-lines-of-assurance model integrates legal compliance assurance and governance review as complementary but distinct functions. Equally, the OECD Principles of Corporate Governance underscore that legal compliance is a floor, not a ceiling, and that genuine governance quality is assessed through a broader lens of transparency, accountability, and responsible stewardship. The CMA Code deliberately aligns with these international frameworks.
Why the Distinction Matters for Boards
A board that equates a clean legal audit with good governance is taking a significant risk. A company can be legally compliant yet structurally deficient, operating without a board charter, lacking board diversity, failing to disclose related-party transactions adequately, or maintaining committees that exist on paper only.
Conversely, a governance audit that surfaces systemic non-compliance with laws signals that the legal audit, when it falls due, may yield findings with serious regulatory consequences.
Together, the two audits form a comprehensive assurance architecture: one confirming that the organisation is led well; the other confirming it is led lawfully. Neither is a substitute for the other.
Conclusion
For listed companies, CMA-licensed entities, banks, insurers, pension funds, and SACCOs in Kenya, both audits are now integral to the governance calendar. Boards should view them not as regulatory burdens, but as instruments of institutional health. The governance audit, conducted annually by an ICPSK-accredited Governance Auditor, tells you how well the organisation is governed. The legal audit, conducted biennially by an LSK-qualified lawyer, tells you how lawfully. Both answers matter.

