View from the top: We need to talk about audit
I agreed to chair the steering committee of the Chartered IIA's new Internal Audit Code of Practice because, as chair of a large organisation's audit committee, I could see that we urgently need to address how organisations view and use their internal audit functions – and what they should expect from them. In the past few years we have seen a series of corporate collapses and questions about the value of the assurance that organisations offer their stakeholders. The time is right for a code that makes us all think about how internal audit functions in every sector in the UK and Ireland.
This is also why it is essential that the new code is a living document. It is not something to read and file in a drawer – we want chief audit executives (CAEs) to share it with their boards and their audit committees, to assess where their function currently meets the code's recommendations, and where it does not. Internal audit functions differ across different sectors and some will be further from conforming to all the recommendations than others. But all should consider seriously whether they need to make changes to meet today's critical and evolving demands.
We are not the only ones asking these questions. Three recent major reviews into the role of assurance in organisations are highly likely to lead to new regulations, in addition to a new regulator. Senior executives will face new obligations, so pressure is mounting to improve the assurance offered to stakeholders and to disclose how boards are benefiting from and considering this assurance when they make decisions.
I believe that there is likely to be a more public role for internal audit in future as we see increased disclosure about the function in public reports, and a clearer public view on how organisations are using their third line of defence. To prepare the profession and senior executives for this, we need to establish and promote a consistent standard for internal audit functions in all types of organisation.
In many cases, this will involve repositioning the function to give it, and its CAE, the necessary profile and level of seniority to challenge decisions and policies effectively at the highest levels – and expect to be listened to. It will also mean that more audit teams will have to look comprehensively at non-traditional, complex areas such as culture, and may need to introduce new skills and processes to do this.
These changes require conversations with senior management and audit committees and the code provides a basis for these discussions. We also expect regulators to acknowledge the existence of the code and the important contribution it can make to assurance in the UK and Ireland. The Chartered IIA will play its part in promoting the code to regulators and its members, but its success will depend on how internal auditors use it in practice to develop their team and its value to their organisations.
As a starting point, there are three key recommendations out of the 38 in the code that particularly stand out for me. First is the unrestricted scope of internal audit responsibilities. This is important because many people think that internal audit already has unrestricted scope, but there are areas where internal audit has not traditionally ventured and we've tried to provide clarification about these.
The second key recommendation is the status or standing of the CAE. The code says that this should be "appropriate" – they won't be able to challenge the CEO effectively if they sit somewhere in the middle of the organisation's hierarchy. This is also why their reporting line is important. We believe they should report to the audit committee chair and that, if there has to be a secondary reporting line, this should be to the CEO. They should also have the right to attend executive level meetings or their equivalent – not as a member, but as an observer.
Thirdly, it is important that internal audit should provide assurance over key corporate events – the things that happen only rarely and for which organisations don't have well-established controls and policies. Internal audit should be able to look at the effectiveness of controls and offer assurance on the information that forms the basis for executive decisions.
For those who ask "does this code apply to me?" the answer is yes. Small organisations may not be able to conform with all the recommendations and the code says the response should be proportionate to their size and complexity, but this is not an opt out. All internal audit functions should look at how they meet these recommendations and reassess their performance regularly.
Too often after crises we hear people say "If only I'd understood this better". The point of this code is to help internal audit highlight the critical issues that executives need to be aware of before they reach crisis point.
Brendan Nelson chaired the steering committee that drew up the Internal Audit Code of Practice.
This article was first published in March 2020.