Internal Audit Code of Practice

Guidance on Effective Internal Audit Practices

The updated Internal Audit Code of Practice, effective from January 2025, aims to elevate the effectiveness and impact of internal audit functions within organisations across the financial services, private, and third sectors in the UK and Ireland.

The Code’s principles serve as a benchmark for best practices, providing a framework against which organisations can evaluate their internal audit functions. While the Code is principles-based, it is intended to be applied proportionately, considering the size, risk profile, and internal organisation of each entity, as well as the nature, scope, and complexity of its operations. Smaller organisations should apply these principles with these factors in mind.

Download the Internal Audit Code of Practice


Relevant guidance

Fully understanding how to practically implement each of the Code’s 37 principles requires cross-referencing with our comprehensive technical guidance. The following pieces of technical guidance are particularly relevant in supporting the Code’s implementation (this page will be updated as and when new guidance becomes available):


Purpose and mandate of internal audit

Internal audit charter

Supplemental Guidance: Model Internal Audit Charter

IIA Global - Model audit committee charter

Insight and internal audit


Scope and priorities of internal audit

Risk assessments and prioritisation of internal audit work

Risk maturity assessment

Risk-based internal audit planning in financial services

Annual internal audit coverage plans

The role of internal audit

Audit universe

Emerging risk assessment in internal audit

Organisational culture

Cultivating a healthy culture

Auditing culture

Auditing risk culture

Culture and internal audit

Culture embedding and evolving

Models and tools

Conduct culture for all sectors and non-FS internal auditors

Workforce voice

Auditing staff welfare and wellbeing

Making culture part of your DNA

Organisational culture

IIA Global: Auditing culture

Internal Governance

How to audit / perform board evaluations

Auditing corporate governance

Annual governance, risk and control assessments

The setting of, and adherence to, the risks the entity is willing to accept (risk appetite).

Risk appetite - concept and theory

Risk appetite - the role of internal audit

Quantitative Risk Appetite

Risk appetite - the board's role

Key corporate and external events

Adapting to economic uncertainty: internal audit's journey

Navigating geopolitical risk: building resilience requires collaboration in a challenging world

Crisis management - extreme events

Organisational change

Projects

Auditing projects in the early stages

Research and development

Outsourced services

Capital and liquidity risks

Bank’s capital and liquidity – auditing ICAAP and ILAAP

Adapting to economic uncertainty: internal audit's journey

Avoiding the blind spot: Supporting financial stability and resilience

Financial viability - information guidance for internal auditors

Risks of poor customer treatment, giving rise to conduct or reputational risk

Auditing new product development

Auditing reputational risk

Environmental sustainability, climate change risks and social issues

Organisations’ preparedness for climate change: an internal audit perspective

Supply Chain ESG Risks: Harnessing the Potential of Internal Audit

Carbon usage

Climate change and impact

Climate data and reporting

Climate financial risk auditing

Climate impact within supply chains

Climate strategy

European sustainability reporting standards

Preparing for a disrupted climate transition

Sustainable product risk

Well-being of future generations

Working conditions: climate impact

Climate action: IA implications

Internal audit's role in ESG reporting

Corporate social responsibility

IIA Belgium: ESG Sustainability - A Risk or Opportunity for Internal Audit?

ECIIA: Embedding ESG shifting expectations

Supply chains

Auditing social commitments

Gender pay

Human rights reporting

Modern Slavery Act 2015

Reducing enterprise risk

Slavery and human trafficking

Global IIA - Evaluating ethics programmes

Financial crime, economic crime and fraud

Fraud is on the rise: step up to the challenge

Position Paper: Internal audit and corrupt practices

Fraud

Anti-money laundering

Fraud Risk Assessment

Fraud Risk Assessment - an overview (Further reading)

Fraud Monitoring

Fraud Culture and Governance

Managing the business risk of fraud

Using IT to prevent and detect fraud

Internal Audit and Fraud: Assessing Fraud Risk Governance and Management at the Organizational Level 

Engagement planning: fraud risks

Technology, cyber, digital and data risks

Mind the Gap: Cyber security risk in the new normal

Auditing artificial intelligence

Embracing data analytics

Analytics, data mining and big data

Auditing spreadsheets

Digital governance

How to audit algorithms

Auditing models

IIA Global Data Analytics

Artificial intelligence

AI: practical applications (part a)

AI: practical applications (part B)

Auditing cyber security culture

Ransomware auditing

Data breach incidents and response

Cyber risk

Cyber security

Social engineering

Cybersecurity - SEC changes

Cybersecurity - IA and the CISO

Cybersecurity - Incident Response and Recovery

How to derive an IT audit universe

Risk management, compliance, finance and control functions

Managers acknowledging risk

Standards for managing risks

How to audit Employee engagement

How to audit Performance management

How to audit Reward and recognition

How to audit Recruitment and selection

How to audit Sickness absence

How to audit Talent management

How to audit Training and development

How to audit accounts payable

 How to audit Accounts receivable

How to audit accruals and prepayments

How to audit Bank reconciliation

How to audit collections

How to audit asset management

How to audit the markets in financial instruments directive

How to audit interest rate risk management

How to audit Travel and expenses

How to audit Health and safety

How to audit Workforce planning

How to audit Shared services

Outcomes of processes

Outcomes of processes


Reporting results

Delivering internal audit findings

Following up recommendations/management actions

Things to consider when preparing your internal audit opinion

Effective Report Writing

Interaction with risk management, compliance, finance and control functions

Position paper – Risk management and internal audit

Coordination of assurance services

Five steps to create an assurance map

Working relationship between risk management and internal audit

Operational responsibilities


Independence and authority of internal audit

How internal audit works with the audit committee

Position paper – Independence and objectivity

Position paper - The rotation of heads of internal audit


Resources

Annual internal audit coverage plans

How to set up a new internal audit activity

Secondments

Future-proofing internal audit

Coaching

Communication skills

Difficult clients

Mentoring

Diversity, Equity, and Inclusion (DEI) 101

Driving an inclusive culture (IIA & Deloitte)

How to audit Diversity and Inclusion

IIA Global Data Analytics

Artificial intelligence

AI: practical applications (part a)

AI: practical applications (part B)

Embracing data analytics

Managing a dispersed team


Quality assurance and improvement programme (QA&IP)

Quality and the International Standards

Quality assurance and improvement programmes

Ensuring quality in the smallest internal audit activities

Internal audit performance management

Improving audit efficiency

Measuring internal audit effectiveness and efficiency

Internal audit manual

Internal audit file reviews


Relationships with
 regulators and external audit

Position paper - Internal audit's relationship with external audit

Managing internal audit’s relationship with regulators