Joined-up thinking: 8 ways the Internal Audit Code of Practice goes beyond IIA Standards

I first learned that the Chartered IIA was developing a UK financial services (FS) internal audit code in 2013. At that time, I was the President and CEO of IIA Global and I was concerned that it would create confusion and undermine the IIA Standards (The IPPF). However, I also understood the need to create additional guidance for the UK’s FS internal audit functions. Without this, the UK FS regulators were prepared to develop their own.

My fears were unfounded. The FS Code was successful and co-existed effectively with the IPPF for many years. It went on to become a model for a complementary Code of Practice for internal audit in the private and third sectors in 2020.

Following the release of the new Global Internal Audit Standards earlier this year, an independent committee of audit committee chairs, chief audit executives (CAEs) and senior internal audit professionals was convened to update and combine the two existing codes into a new single Internal Audit Code of Practice. The consultation draft has been released, and you can leave feedback until 8 May.

The new code makes it clear that it should be applied in conjunction with the Global Internal Audit Standards. It includes the statement that the “code builds on these Standards and seeks to increase the impact and effectiveness of internal audit by clarifying expectations and requirements”. The code is principles-based, and states that principles should be “applied proportionately, in line with the nature, scope and complexity of the organisation”.

As I reviewed the proposed code, I was impressed by how clearly and logically it is organised. Its 36 principles are organised under seven headings:

    A. Role and Mandate of internal audit

    B. Scope and priorities of internal audit

    C. Reporting results

    D. Interaction with risk management, compliance and control functions

    E. Independence and authority of internal audit

    F. Resources

    G. Quality assurance and improvement programme

I was also struck by how much further these principles go than The Global Internal Audit Standards. In particular, there are eight provisions that I think are noteworthy:

  1. Internal audit’s charter “should be publicly available, and the company’s annual report of accounts “should summarise the role of internal audit, the function’s main activities and conclude on internal audit’s impact and effectiveness”.
  2. Internal audit should assess whether the organisation’s “risk appetite has been established and reviewed through active involvement of the board and senior management”.
  3. The code prescribes 13 specific areas that should be included within internal audit’s scope including: strategy and business model; organisational culture; internal governance; environmental sustainability, climate change risks and social issues; and risks of poor customer treatment giving rise to conduct or reputational risks.
  4. Internal audit should provide “overall opinions” on the areas (from item 3 above) included within its scope. At least annually, “internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to”.
  5. For FS internal audit functions, the code prescribes that internal audit has no responsibility for any other function (risk management, compliance, etc). For non-FS functions, the code stresses that “objectivity of internal audit is strongest if it is neither responsible for, nor part of, the control functions and such separation is to be preferred”.
  6. The CAE’s “primary reporting line” should be to the chair of the audit committee. The audit committee chair is responsible for determining the appointment and removal of the CAE, setting their objectives and appraising their performance.
  7. Even when internal audit is outsourced, the CAE should always be employed directly by the organisation. In addition, remuneration of the CAE “should not be directly or exclusively linked to the short-term performance of the organisation.”
  8. The CAE “should ensure that the internal audit team is made up of internal auditors from a diverse range of backgrounds in accordance with the organisation’s diversity, equity and inclusion policies and procedures, as well as relevant legislation”.

There is much more to the proposed code than I have highlighted. For that reason, UK internal audit practitioners should review all the documents. 

Richard F Chambers, CIA, QIAL, CGAP, CCSA, CRMA is Senior Internal Audit Advisor, AuditBoard and Former President and CEO of IIA Global.

This article was published in May 2024.