Protiviti and AI Join Forces to Chronicle Internal Audit’s Progress
September 3, 2024Internal Auditors Need Interview AND Conversation Skills
September 18, 2024This week, the UK’s Chartered Institute of Internal Auditors (IIA UKI) released the long-awaited update to the Internal Audit Code of Practice. Though the Code is intended to complement The IIA’s Global Internal Audit Standards, it actually raises the bar in a number of important areas.
While the world’s internal audit profession is busy ensuring compliance with IIA’s new Global Internal Audit Standards that become mandatory effective in January 2025, colleagues in the UK and Ireland now have some extra “homework.” Those in the financial services, private and third sectors must ensure their practices conform not only to The Global Internal Audit Standards and revised UK Corporate Governance Code, but to the new IIA Code as well. As the foreword to the new code indicates, “Although the Code remains principles-based and should be applied proportionately, we recognize that some internal audit functions may be at different stages of their compliance journey. Nonetheless, all functions are expected to engage with the Code’s principles. External Quality Assessment (EQA) providers will benchmark against the Code and assess progress towards best practices.”
As the foreword also aptly acknowledges: “The release of the new Code is particularly timely as our profession navigates an increasingly more uncertain, risky and rapidly changing world. It provides a unique opportunity to strengthen the role of internal audit in assisting boards and senior management with identifying, managing and mitigating risks effectively in a dynamic landscape. A stronger internal audit profession is also essential in restoring trust in the broader audit and corporate governance ecosystem.“
I first wrote about the new Code during its early consultation in an AuditBoard article titled: “8 Ways the Proposed UK Internal Audit Code of Practice Goes Beyond the Global Internal Audit Standards.” As I reviewed the final Code, I remained impressed by how clearly and logically it is organized. The Code’s 37 principles are organized under nine headings:
- Purpose and mandate of internal audit
- Scope and priorities of internal audit
- Reporting results
- Interaction with risk management, compliance and control functions
- Independence and authority of internal audit
- Resources
- Quality assurance and improvement program
- Relationship with regulators and external audit
- Wider considerations
The new Code makes clear that it should be applied in conjunction with the Global Internal Audit Standards. It includes the statement that the “Code” builds on these Standards and seeks to increase the impact and effectiveness of internal audit by clarifying expectations and requirements.” The Code is principles-based, and urges that principles be “applied proportionately, in line with the nature, scope and complexity of the organisation.”
I also remain impressed by how much further the principles go when compared with The Global Internal Audit Standards. In fact, there are 8 provisions that I think are particularly noteworthy for internal auditors:
- Internal audit’s charter “should be publicly available, and the company’s annual” report of accounts “should summarise the role of internal audit, the function’s main activities and conclude on internal audit’s impact and effectiveness.”
- Internal audit should assess whether the organization’s “risk appetite has been established and reviewed through the active involvement of the board and senior management.”
- The Code prescribes 12 specific areas that should be included within internal audit’s scope including purpose, strategy and business model; key corporate and external events; organisational culture; internal governance; capital and liquidity risks; environmental sustainability, climate change risks and social issues; risks of poor customer treatment, giving rise to conduct or reputational risks; and technology, cyber, digital and data risks.
- Internal audit should provide “overall opinions” on the areas (from item 3 above) included within its scope. At least annually, “internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to.”
- For financial service (FS) internal audit functions, the Code prescribes that internal audit have no responsibility for any other function (risk management, compliance, etc). For non-FS functions, the code stresses that “objectivity of internal audit is strongest if it is neither responsible for, nor part of, the control functions and such separation is to be preferred.”
- The “primary reporting line” for the CAE should be to the chair of the audit committee. The audit committee chair is responsible for appointing the CAE and for determining when they should be removed from the post. In addition, the chair of the audit committee is accountable for setting the objectives of the CAE and appraising the CAE’s performance at least annually.
- The CAE “should ensure that the internal audit team is made up of internal auditors from a diverse range of backgrounds in accordance with the organisation’s diversity, equity and inclusion policies and procedures, as well as relevant legislation.”
- The CAE and other senior managers within internal audit, “should have an open, constructive and cooperative relationship with relevant regulators to support sharing of information relevant to carrying out their respective responsibilities.”
In a press release on the new Code, The IIA UKI notes that “building on the new Global Internal Audit Standards and the revised UK Corporate Governance Code, the updated Internal Audit Code of Practice aligns with these frameworks while introducing several key enhancements, including:”
- Enhanced Reporting: Chief Internal Auditors should collaborate with their Audit Committee to ensure the Annual Report and Accounts include a summary of the internal audit function’s activities and conclude on its impact and effectiveness.
- Culture Audits: Internal audit functions should conduct risk-based reviews of organizational culture, extending beyond risk and control culture to encompass broader cultural risks.
- Wider Scope: Internal audit functions across all sectors should assess capital and liquidity risks and risks stemming from poor customer treatment, not limited to financial services.
- Inclusion of Emerging Risks: The new Code states that internal audit functions should address emerging risks, including environmental sustainability, climate change, social issues, financial and economic crime, and technology risks such as AI and cybersecurity.
- Alignment with Governance Disclosures: Internal audit’s assessments of risk management and internal controls should now support board disclosures on material controls, aligning with the revised UK Corporate Governance Code.
- Coordination with Assurance Providers: Internal audit functions should coordinate with other assurance providers on key risks and assurance timing, ensuring comprehensive risk coverage.
- Diversity and Technology: The Code requires internal audit teams to comprise individuals with diverse backgrounds, skills, and experiences, and for Chief Internal Auditors to ensure access to the necessary tools and technology, such as data analytics and AI, to enhance audit effectiveness.
A hearty congratulations to IIA UKI and all of those who were instrumental in finalizing the new Internal Audit Code of Practice! As always, I welcome thoughts from readers about this initiative or any other guidance-related topics.
I welcome your comments via LinkedIn or Twitter (@rfchambers).