Internal audit has come a long way in the past 20 years, but, as we embark on a new decade there are clear areas where we could – and must – do more. As Richard Chambers, president and CEO of IIA Global, pointed out recently, internal audit methodology has changed little in the past two decades. How many organisations do you know that could say the same? We need to look hard at what internal audit is and must be in the next ten years. Are we fit for purpose? If not, we will cease to be relevant and will become obsolete.
Adding value may mean rocking the boat. We need to raise issues as things change in our organisations and in the wider environment and we need to be part of finding solutions to emerging concerns, such as climate change, disruption, diversity and inclusion. We also need to improve the conversations we have with audit committees and boards to increase their understanding of what we can potentially do for them and how they should harness the power of internal audit.
The primary purpose of the new Internal Audit Code of Practice is to provide a basis for conversations aimed at enhancing the overall effectiveness of internal audit, and its impact, in organisations operating in the UK and Ireland. Its recommendations can be seen as benchmarks of good practice against which organisations can assess their internal audit function. At its most basic, the code supports the International Standards by setting out guidelines for things such as the role and mandate of internal audit, internal audit scope and priorities, interaction with first and second lines of defence, the reporting line of heads of internal audit and attendance at board meetings.
These things put internal auditors in a position within the organisational structure that should help them to be effective. However, beyond this, the code is intended to prompt essential conversations and raise awareness about the potential support that internal audit could provide to boards in future.
Some organisations already conform to most, if not all, of the code’s recommendations, but many do not. The code will give these teams the impetus to start discussions about the value of internal audit and how their expertise can be used to the full – and about directors' expectations of them.
We have already seen the success that the Chartered IIA’s financial services code has had in raising the baseline of what is expected of internal audit teams in the sector. We hope the new code will prompt similar discussions and benchmarking exercises across the private and third sectors.
Now is the perfect time to start such conversations. Donald Brydon’s independent review into the quality and effectiveness of audit was published in December and had some important recommendations for internal audit. For a start, he welcomed our new code and noted that: “Enhancing the role of the internal audit profession ought to assist audit committees in their work.” The review recommends that organisations should report explicitly on their audit and assurance policy and notes that this should increase transparency around the role and activity of internal audit. It suggests that external auditors should make more use of internal audit in their reports.
Brydon also refers to the increasing debate about whether the UK should develop its own version of the US Sarbanes-Oxley (SOX) Act. This raises important challenges for internal auditors – where should responsibility and accountability lie? I would argue that these fall under the first and second lines of defence, since internal audit is not part of the control environment, but provides assurance that controls are working. However, internal auditors should think about how they will advise their organisation if UK Sox becomes a reality.
In the past month I’ve talked to around 65 audit committee members. I’m keen that we continue the discussions prompted by the new code and by the Brydon review and offer more support for our key stakeholders by helping them to understand better what we can do for them. We already know that the 2020s will be very different from the 2010s. Internal audit must position itself now if it is to be fit for the challenges ahead.
This article was first published in March 2020.