Internal Audit Code of Practice
Guidance on Effective Internal Audit Practices
The updated Internal Audit Code of Practice, effective from January 2025, aims to elevate the effectiveness and impact of internal audit functions within organisations across the financial services, private, and third sectors in the UK and Ireland.
The Code’s principles serve as a benchmark for best practices, providing a framework against which organisations can evaluate their internal audit functions. While the Code is principles-based, it is intended to be applied proportionately, considering the size, risk profile, and internal organisation of each entity, as well as the nature, scope, and complexity of its operations. Smaller organisations should apply these principles with these factors in mind.
Download the Internal Audit Code of Practice
Relevant guidance
Fully understanding how to practically implement each of the Code’s 37 principles requires cross-referencing with our comprehensive technical guidance. The following pieces of technical guidance are particularly relevant in supporting the Code’s implementation (this page will be updated as and when new guidance becomes available):
Purpose and mandate of internal audit
Supplemental Guidance: Model Internal Audit Charter
IIA Global - Model audit committee charter
Scope and priorities of internal audit
Risk assessments and prioritisation of internal audit work
Risk-based internal audit planning in financial services
Annual internal audit coverage plans
Emerging risk assessment in internal audit
Organisational culture
Culture embedding and evolving
Conduct culture for all sectors and non-FS internal auditors
Auditing staff welfare and wellbeing
Making culture part of your DNA
How to audit / perform board evaluations
Annual governance, risk and control assessments
The setting of, and adherence to, the risks the entity is willing to accept (risk appetite).
Risk appetite - concept and theory
Risk appetite - the role of internal audit
Risk appetite - the board's role
Key corporate and external events
Adapting to economic uncertainty: internal audit's journey
Navigating geopolitical risk: building resilience requires collaboration in a challenging world
Crisis management - extreme events
Auditing projects in the early stages
Capital and liquidity risks
Bank’s capital and liquidity – auditing ICAAP and ILAAP
Adapting to economic uncertainty: internal audit's journey
Avoiding the blind spot: Supporting financial stability and resilience
Financial viability - information guidance for internal auditors
Risks of poor customer treatment, giving rise to conduct or reputational risk
Auditing new product development
Environmental sustainability, climate change risks and social issues
Organisations’ preparedness for climate change: an internal audit perspective
Supply Chain ESG Risks: Harnessing the Potential of Internal Audit
Climate financial risk auditing
Climate impact within supply chains
European sustainability reporting standards
Preparing for a disrupted climate transition
Well-being of future generations
Working conditions: climate impact
Climate action: IA implications
Internal audit's role in ESG reporting
Corporate social responsibility
IIA Belgium: ESG Sustainability - A Risk or Opportunity for Internal Audit?
ECIIA: Embedding ESG shifting expectations
Global IIA - Evaluating ethics programmes
Financial crime, economic crime and fraud
Fraud is on the rise: step up to the challenge
Position Paper: Internal audit and corrupt practices
Fraud Risk Assessment - an overview (Further reading)
Managing the business risk of fraud
Using IT to prevent and detect fraud
Internal Audit and Fraud: Assessing Fraud Risk Governance and Management at the Organizational Level
Engagement planning: fraud risks
Technology, cyber, digital and data risks
Mind the Gap: Cyber security risk in the new normal
Auditing artificial intelligence
Analytics, data mining and big data
AI: practical applications (part a)
AI: practical applications (part B)
Auditing cyber security culture
Data breach incidents and response
Cybersecurity - IA and the CISO
Cybersecurity - Incident Response and Recovery
How to derive an IT audit universe
Risk management, compliance, finance and control functions
Managers acknowledging risk
How to audit Employee engagement
How to audit Performance management
How to audit Reward and recognition
How to audit Recruitment and selection
How to audit Talent management
How to audit Training and development
How to audit Accounts receivable
How to audit accruals and prepayments
How to audit Bank reconciliation
How to audit the markets in financial instruments directive
How to audit interest rate risk management
How to audit Travel and expenses
How to audit Health and safety
How to audit Workforce planning
Outcomes of processes
Reporting results
Delivering internal audit findings
Following up recommendations/management actions
Things to consider when preparing your internal audit opinion
Interaction with risk management, compliance, finance and control functions
Position paper – Risk management and internal audit
Coordination of assurance services
Five steps to create an assurance map
Working relationship between risk management and internal audit
Independence and authority of internal audit
How internal audit works with the audit committee
Position paper – Independence and objectivity
Position paper - The rotation of heads of internal audit
Resources
Annual internal audit coverage plans
How to set up a new internal audit activity
Future-proofing internal audit
Diversity, Equity, and Inclusion (DEI) 101
Driving an inclusive culture (IIA & Deloitte)
How to audit Diversity and Inclusion
AI: practical applications (part a)
AI: practical applications (part B)
Quality assurance and improvement programme (QA&IP)
Quality and the International Standards
Quality assurance and improvement programmes
Ensuring quality in the smallest internal audit activities
Internal audit performance management
Measuring internal audit effectiveness and efficiency
Relationships with regulators and external audit
Position paper - Internal audit's relationship with external audit