Internal audit body calls for stronger governance requirements in the Telecommunications Security Code

Chartered IIA urges Ministers to strengthen governance and oversight for telecoms companies to help protect customers from increasing digital threats

The Chartered Institute of Internal Auditors (Chartered IIA) is urging the Government to strengthen the guidance on governance, assurance and independent oversight in the Telecommunications Security Code of Practice, in its response to the Department for Science, Innovation and Technology’s recent consultation.

While the Chartered IIA has welcomed the Government’s proposed amendments to the Code, which aim to address evolving security threats to the UK’s telecommunications sector, it warns that the current proposals do not go far enough. Although the Code has sections on Governance and Reviews, it currently remains silent on the critical role of internal audit in providing independent and objective assurance to boards and senior management that telecoms security risks are being identified, managed and controlled effectively.

This omission from the Code guidance is concerning, given the need to protect the UK’s digital infrastructure from increasingly sophisticated security risks.

Research reveals assurance and governance gap in telecoms sector

Earlier this year, the Chartered IIA revealed that almost half (six out of thirteen) of the UK’s major broadband providers do not currently have an internal audit function. This potentially leaves boards of these companies without the independent assurance needed to manage and mitigate security and operational risks effectively.

Given the daily wave of cyber-attacks on the UK’s digital infrastructure, it is therefore critical that telecoms providers have robust governance and oversight of their security risks, which an internal audit function is there to help provide.

Anne Kiem OBE, Chief Executive of the Chartered IIA has called for stronger governance and independent assurance:

“Telecommunications are the backbone of our digital economy and touch all of our daily lives. Yet too many telecoms providers operate without the independent assurance that internal audit brings to business-critical risks, despite increasing digital security threats. Ministers need to recognise the vital role of internal audit in supporting robust governance in the Telecommunications Security Code by setting a clear expectation for companies to obtain independent assurance.”

Learning lessons from other sectors

The absence of internal audit in these telecoms companies echoes failures seen in other regulated sectors, such as energy, where the lack of independent assurance on business-critical risks may have contributed to the collapse of several suppliers, with serious consequences for consumers. In response, Ofgem now requires energy suppliers to report on their internal audit capabilities. At the same time, the Financial Conduct Authority and Prudential Regulation Authority mandate internal audit for financial services companies, due to the sector’s systemic importance to the economy.

Recommendations to strengthen the Code

The Chartered IIA’s consultation response recommends that the Telecommunications Security Code of Practice is strengthened by:

Recommending that the Code make clear that a telecom company’s security governance framework should integrate and be consistent with internal and external audit and assurance mechanisms. This aligns and is consistent with a similar requirement in DSIT’s Cyber Governance Code, published in April.
Requiring telecoms providers to explain how they obtain independent assurance – whether through internal audit or equivalent mechanisms – so boards can demonstrate that security measures are effective in practice.

Protecting customers and businesses from digital security risks

The Chartered IIA believes that these changes are not just technical compliance matters, but about protecting people, businesses, and the UK’s digital economy. By ensuring a stronger focus on governance, assurance and oversight in the Telecommunications Security Code, the Government can help build a more resilient and secure telecoms sector.

-ENDS-

FOR MORE INFORMATION / FURTHER COMMENT CALL GAVIN HAYES ON 07900195591

Notes to editors

The full response to DSIT can be downloaded here.

More details on the DSIT consultation are available here.

The previous press release that revealed almost half of the UK’s major broadband providers do not have internal audit can be found here.

About the Chartered Institute of Internal Auditors

The Chartered IIA represents around 10,000 internal audit professionals in organisations spanning all sectors of the economy, across the UK and Ireland. It champions the contribution internal audit makes to good corporate governance, strong risk management and a rigorous control environment leading to the long-term success of organisations, including those in the public sector.