View from the institute: Regulations | supporting the spirit of the law
What is the purpose of regulation? Sometimes it’s good to ask the basic questions. Internal auditors exist to help boards be confident that they are doing the right things, but also to understand why the right things are important in the first place.
In the past couple of months, we have seen the publication of the revised Corporate Governance Code and its supporting guidance as well as a consultation on a proposed cyber governance code. IIA Global has published details of the new Global Internal Auditing Standards and, at the Chartered IIA, we are revising our Internal Audit Codes of Practice for private and financial services firms.
At the same time, the news has been full of the fallout from the scandal over the Post Office’s faulty Horizon software, while fines cost UK organisations £1.2bn in 2023.
Organisational crises are caused by many things, some internal, others external, such as geopolitical instabilities and the rapid growth in the use of artificial intelligence. It is usually internal fault lines that lead to scandal, which then prompts new rules to avoid a recurrence. However, all rules, scandals and sanctions have one thing in common; they reinforce the importance of strong corporate governance and the value of internal audit.
It’s not just about avoiding fines or obeying the letter of the law. Corporate reputations are valuable and we are seeing increasing emphasis on the spirit of the law – it’s important to be seen to do the right thing for the sake of the thing itself. Customers, employees and the public care when they find out that organisations are doing things that run counter to their stated values or exploit legal loopholes.
UK law has always espoused the “comply or explain” principle, rather than the more prescriptive rules-based systems used in the US and elsewhere. However the explanation part of this is becoming more important, both to the regulators and more broadly.
This is why I was delighted to see far more emphasis on the important role of internal audit in the guidance that accompanies the new Corporate Governance Code. Internal audit is mentioned specifically over 40 times in the guidance, far more than previously. The institute has contributed to the revision of the guidance, via the FRC’s Stakeholders Insights Group, and we will continue to meet with the regulators and the government to put the case for more formal requirements for organisations to have professional internal audit functions.
We are making progress. New guidance from energy regulator Ofgem and the Charity Commission both include an explicit expectation that organisations will have an internal audit function. This is not a formal requirement, but it marks a change of attitude and awareness and this is important.
“Restoring trust” was, of course, the aim of proposed new audit regulations, which are not now on the current Parliament’s agenda. This is disappointing, but the role of internal audit in helping to restore trust (or maintain and build trust) in our organisations has not gone away. Public outrage at perceived wrongdoing can be just as damaging as legal infringements – recent events have also shown that admitting deception, but arguing that lying is not illegal, does not go down well.
However, to restore trust we also need laws to impose accountability, and we believe that it’s important that the FRC is given the “teeth” it will need to hold senior directors to account for wrongdoing. Personal responsibility is vital to combat wilful rule-breaking or gross negligence.
Chief executives are not omnipotent beings, but they have a responsibility to act if wrongdoing is brought to their attention, and a responsibility to ensure that wrongdoing is brought to their attention in the first place. This is where internal audit comes in. Chief audit executives (CAEs) should be able to advise boards about what the new Corporate Governance Code guidance says and what it means for them in practice.
There are many areas where internal audit teams are already working closely with boards and other functions to ensure that senior executives get a verifiable view of the “truth” and that the “facts” they publish to regulators and to the public are accurate, whether or not there are formal laws in operation. Sustainability, culture and supply chains are all important to stakeholders and to the public. Good practice and positive statistics are often quoted, but glowing PR reports quickly backfire if the reality turns out to be rather different.
Internal audit functions have the expertise and the overview of the whole organisation to identify whether claims are verifiable, to question governance and controls, and to highlight potential weaknesses or missing data that could undermine over-confident claims. This is essential when the reputation of the organisation and the CEO is on the line (even more so if legal or financial penalties are involved).
Many of these rapidly developing potential risks are difficult to audit and involve connecting multiple areas of an organisation. In the case of supply chains, internal audit teams are having to investigate what is happening beyond their own organisational borders. Public opinion and, increasingly, legislation demands more transparency, but few organisations are equipped to report confidently on their supply chains, or fully understand their supply chain resilience.
This is why we have recently published two reports – Supply Chain Resilience and Security: Harnessing the Potential of Internal Audit and Supply Chain ESG Risks: Harnessing the Potential of Internal Audit. These seek to highlight the most important issues and to provide practical guidance for internal audit teams, so they can offer assurance on the accuracy and transparency of data and build resilience.
Further guidance and advice is always available from our courses, forums, special interest groups, events and, of course, at our annual Internal Audit Conference. Legislation constantly evolves, but public opinion and best practice is usually a step or two ahead of formal legal requirements.
The direction of travel is clear and internal audit is in a great place to provide the insights and support that boards and organisations need now and will need more in the future. We will continue to campaign and influence at national level, but CAEs and their teams can stay ahead of developments and highlight the key issues to discuss with senior executives so they fully understand why they need internal audit.
This article was published in March 2024.