Internal Audit Code of Practice consultation- what are the key take-aways for Heads of Internal Audit?
Following on fast after the publication of the Global Internal Audit Standards, the Chartered Institute of Internal Auditors (IIA) began its consultation on a revised and combined version of the Internal Audit Code of Practice (“Combined IA Code”) in March 2024. The intention is that this document will replace the guidance included in the existing documents - the Internal Audit Financial Services Code of Practice (“the FS Code”) published in 2013 and the Internal Audit Code of Practice for the private and third sectors (“the Code of Practice”) published in 2020.
The Combined IA Code is to be published with the aim of harmonising practices across the profession in the financial services, private and third sectors to provide a single view of best practice, whilst recognising differences arising from size scale of organisational operations as well as regulatory and environmental factors. Like the previous Codes, the Combined IA Code will be voluntary and set a best practice benchmark against which internal audit teams can measure themselves and be measured by Boards, Audit Committees, and regulators.
What are the key changes proposed in the Combined IA Code?
The key changes proposed are as follows:Mandate
- The primary role of internal audit should be to help the board and senior management to protect the assets, reputation and sustainability of the organisation. It does this by:
- providing independent, risk-based and objective assurance, advice, insight and foresight
- assessing whether all significant risks are identified and appropriately reported by management to the board and senior management
- assessing whether the organisation is adequately controlled
- challenging and influencing senior management to improve the effectiveness of governance, risk management and internal controls, including identifying efficiencies and removing duplicative and/or redundant controls.
- The Chief Audit Executive is required to report annually to the Audit Committee on how the principles in the Combined IA Code have been applied.
- The annual report and accounts are required to include a summary of the role of internal audit, the function’s main activities and internal audit’s impact and effectiveness.
Scope
- The recommended scope of internal audit activity is extended to include organisational purpose, strategy and business model, culture, governance, risk appetite, key corporate events, capital and liquidity risks, customer treatment and reputational risk, environmental sustainability, climate change risk and social issues, financial crime and fraud, technology and data risks, risk management, compliance, finance and control functions, outcomes of processes.
Reporting
- At least annually, internal audit’s reporting to the Audit, Risk and any other Board committees is to include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to.
Interaction with risk management compliance, finance and control functions
- Internal audit is to support the development of an assurance map on the organisations key risks and align on the timing of assurance. This should be presented to the Audit Committee.
Independence and authority
- For financial services organisations, internal audit should report administratively to the Chief Executive. In some cases, in the private and third sectors, another senior manager who backs up and safeguards internal audit’s independence and objectivity can be the administrative reporting line. The Audit Committee Chair should agree with this arrangement.
Resources
- The Chief Audit Executive is to ensure that the internal audit team is made up of internal auditors from a diverse range of backgrounds.
- The Chief Audit Executive is required to ensure internal audit has the appropriate tools and technology to support the function’s effectiveness and impact.
How does this compare with the previous Codes?
The Combined IA Code that is suggested has 36 principles and is divided into nine sections. This means there are only three extra principles in the Combined IA Code compared to the previous Code of Practice and five extra principles compared to the FS Code. The goal of the Combined IA Code is the same as for the previous Codes - "to enhance internal audit standards and improve the performance and influence of internal audit within organisations by making expectations and requirements clear." A key difference is that - each of the nine sections of the Combined Code has a desired outcome. For example, the outcome for Section A- Role and Mandate of internal audit is "Internal audit has a definite role and mandate. The organisation has a strong leadership culture that allows internal audit to fulfil its mandate effectively."
There is no change to the definition of the primary role of internal audit. What has changed is that the Combined IA Code expands the remit of the function to include providing independent, risk-based and objective assurance, advice, insight and foresight, challenging and influencing senior management to improve the effectiveness of governance, risk management and internal controls, including identifying efficiencies and removing duplicative and/or redundant controls. The intention is to strengthen internal audit’s mandate to be forward looking and emphasise internal audit’s role in influencing and challenging management.
Some scope areas were defined in both the FS Code and the Code of Practice. These scope areas have been aggregated in the new Combined IA Code and additional topical areas such as ESG and technological risk have also been added to list of recommended areas.
The reporting requirement has become much more extensive. Before, the requirement was to provide “at least once a year, an evaluation of how effective the organisation’s governance, and risk and control framework is, and its findings on whether the organisation is following its risk appetite, along with an analysis of the patterns and trends arising from internal audit work and how they affect the organisation’s risk profile.” The new Combined IA Code asks for “an overall opinion” on these areas. It also expects that this opinion should “back up any Board disclosure on the company’s risk management and material controls and should point out any major weaknesses found.”
The principle of internal audit third line independence from second line control functions remains and is mandatory for financial services organisations. For private and third sector organisations it is recognised that Chief Audit Executives may have some responsibilities for such control functions such as risk management. This remains permissible provided that adequate safeguards to independence are put into place. The main change is that new Combined IA Code now explicitly refers to the production of an assurance map in collaboration with any other (including second line) assurance providers.
The secondary reporting line for the Chief Audit Executive recommended under the FS Code was to the Chief Executive. Under the Code of Practice an alternative Executive team member was permitted to act as secondary reporting line subject to approval by the Chair of the Audit Committee. These provisions remain under the new Combined IA Code.
As under the previous Codes, the Chief Audit Executive is still required to ensure that the internal audit team has the necessary technical skills and expertise in line with the scale of the organisation and its risks. The new Combined IA Code adds additional provisions that promote diversity and ensure that the team has the necessary technology and tools e.g. data analytics to perform effectively.
How should Heads of Internal Audit respond?
As with the previous Codes, the proposed Combined IA Code remains a voluntary list of principles designed to set out a benchmark of good practice. Once the consultation has been completed, the agreed version of the Combined Code is to be used alongside the updated Global Internal Audit Standards. There is a relatively short consultation period which runs until 8 May 2024 so it is expected that the new Combined IA Code will come into force at the same time as the Global Internal Audit Standards - 9 January 2025.
This is a best practice document which clearly states that it is to be applied “proportionately, in line with the nature, scope and complexity of the organisation.” Heads of Internal Audit therefore still have the flexibility to determine their own way of meeting internal audit standards. However, many of the refinements are useful and reflect trends and changes in corporate governance thinking- notably reflecting recent UK Corporate Governance reform and including topical areas within the recommended audit scope, such as ESG.
Heads of Internal Audit should start to evaluate their method according to the principles of the suggested Combined IA Code to see whether the recommended good practice enhancements are suitable for their organisation. The outcomes of this could be usefully shared with the Audit Committee so that it knows fully how good practice is determined for internal audit and the reasons why some (if any) of the principles have not been followed.
References
Institute of Internal Auditors – Revised Internal Audit Code of Practice Consultation March 2024
Institute of Internal Auditors – Financial Services Code of Practice January 2021