View from the top: Start conversations – the new Chartered IIA Code of Practice
The Chartered IIA’s new Code of Practice will be published next week and I strongly urge all members to read it and use it to start conversations with stakeholders across their organisations. As the Chair of the committee responsible for drafting the new code, I am passionate about the way in which internal audit can add real value to organisations – and about making this value more widely recognised. The new code, therefore, is a document that is intended to be used and discussed, not to be filed and forgotten.
I have a long relationship with the institute’s Code of Practice, because I was involved when the first one was published in 2013. Our purpose back then was to address the concerns of the regulators regarding the lack of impact we had made on the financial services sector in the period before the financial crash of 2008. In fact, back then if you Googled “internal audit” and “financial crash”, nothing came up – not because we were doing everything right, but because our profession was largely seen as irrelevant and even teams doing the best work were invisible.
The first code was created for financial services firms and then, when this proved successful, a second was drawn up to support internal audit functions in other private-sector and third-sector organisations. Together, these helped to raise the performance and the profile of the profession by setting out what organisations should expect of their internal audit teams, making it explicit, for example, that chief audit executives (CAEs) in financial services firms should have the right to attend executive committee meetings, and setting expectations that they should report to the chair of the audit committee and secondarily to the CEO. It was no longer good enough to regard internal audit as a subset of the finance team.
Today, things have progressed and the introduction of the new Global Internal Audit Standards gave us an impetus to reassess the codes and set new aspirations to help internal audit teams and the organisations they serve meet emerging challenges. We decided to combine the two codes into a single revised code for all organisations, taking into account what best practice looks like today and what chief executives and audit committee chairs need from us now.
We have come a long way, but we are not there yet. IIA Global’s 2035 project recently found that many stakeholders still regard internal audit as purely focused on monitoring compliance, so the code invites all of us to transition to a more strategic and value-adding role. Moreover, I regularly talk to headhunters about the people they seek to chair audit committees. Most expect the chair of the audit committee to have financial experience running a finance team or as an external audit partner at a Big Four firm. Far fewer look for those with an internal audit background, even though the role oversees internal audit and the control environment.
As a former chief audit executive (CAE) who now chairs an audit committee, I appreciate that this is both great and terrifying for the incumbent CAE. After all, I really understand what they do and the impact they can achieve, but I also have high expectations. I expect CAEs to push the limits of what they do constantly and drive things forward. I want to see them make a meaningful difference to
the organisation.
I therefore hope the new code will encourage more audit committee chairs and CEOs to appreciate what a great internal audit team can do and why it matters. I want them to engage with, and enable, their CAEs to improve what they do and the impact they have.
The code is not a document just for the internal audit team. It is a description of, and encouragement to achieve, best practice – wherever your team currently stands in terms of maturity. We want CAEs to share it with their audit committee chairs to help those with no internal audit background to understand what they should ask for and why it matters. We want CEOs to understand what a good internal audit function looks like and raise expectations, regardless of whether the team is in-house, outsourced or a combination of the two.
The code does not prescribe how internal audit should respond to its new requirements. There is no single path to improvement. It is intended to inspire and stretch teams and we will provide inspirational case studies to help CAEs to think about how they might drive their function to full compliance. CAEs might also consider what skills they will need to develop or acquire to evolve their mindset
and capabilities.
Above all, the code is intended to start constructive conversations. I believe that to improve the quality of internal audit provision in all organisations we need CAEs to take the code to their audit committees and boards and say “this is what we need to do to improve what we can do for you”. The new Standards raise the baseline for our profession. The code is intended to increase aspirations for best practice and what that looks like.
The role of internal audit is not simply to report on a series of audits undertaken. We need people who can draw on all their work to identify the themes and root causes that matter and form an opinion about what this means and how issues can be fixed. If we are to have a seat at the highest tables, we need CEOs to want to call us on a Friday afternoon because they need our opinion on something that’s concerning them.
We’re not pushing at a closed door. Management wants CAEs who can provide opinions and be advocates of internal controls. This also means having a role in removing complexity from controls systems so CAEs and CEOs focus on things that matter, not just “noise”. We expect CAEs to be bold and courageous in how they add value to their organisation and we believe that the code can help to encourage this.
Importantly, the code is not so long that non-executives and CEOs will be deterred from reading it. Great conversations are the basis of most corporate improvements, and this is all about promoting those conversations. This is the start of a journey. If in a year’s time CAEs and chairs of audit committees can refer back to it, see how internal audit has progressed, and define what it will improve next, then it will achieve what we set out to do.
This article was published in September 2024.