As I write this, the UK financial services sector is in reasonable shape, despite challenging global economic and political conditions and the concerns raised by the EU referendum result. Just a few years ago it was a very different story.
In 2012, UK regulators were reflecting on the causes and consequences of the global financial crisis. As part of that process, they asked searching questions about the state of internal audit in financial institutions. While internal audit was not directly implicated in the biggest failures that caused the crash, there was nevertheless a sense that it could and should have done more to help avert – or at least to draw attention to – the decisions that precipitated the crisis.
Against that backdrop, and following discussions with regulators, the institute responded with a new approach: a framework for effective internal audit across the financial services sector, underpinned by the International Professional Practices Framework and IIA Global’s standards. We consulted widely with internal audit professionals, senior executives and non-executives; and set up an independent committee, chaired by Roger Marshall (audit committee chairman of Old Mutual), to develop what became the institute’s ‘Code for Effective Internal Audit in Financial Services’, published in July 2013. Its aim was to support internal audit to become a fully effective tool for boards to manage risk and help them to drive the right behaviours throughout organisations – to raise expectations.
The regulators participated in the process, warmly welcomed the Code when it was published, and have been referring to it ever since as a gauge of the effectiveness of corporate governance. As Prudential Regulation Authority chief Andrew Bailey put it, the Code “raised the bar”.
Since then the Code has benefitted internal auditors, and the organisations they serve, across all parts of the financial services sector. Boards and audit committees use it to deliver more effective challenge on the management of risk and internal control, through a better understanding of the role of internal audit and better and more productive engagement. And it has lent credibility and status to the profession.
Last year, we reviewed initial progress in implementation of the different provisions of the Code. The resulting progress report, Surfing the Wave (July 2015), showed a real impact in terms of internal audit’s access to the board and executive committees, its reporting lines and its resources. And earlier this year the Prudential Regulation Authority confirmed its view that “the Code has undoubtedly had a positive effect”.
But there is no room for complacency. When we published the Code, we promised to conduct a thorough review after three years. The time has come for us to deliver.
So we have been talking to heads of internal audit, to audit committee chairs, to other non-executives as well as executives, and to the regulators, to get a closer view on the current state of play and to discuss how best to conduct our review. The formal review process will get under way shortly – we will make an announcement about it soon. But I can already say that it will consist of two phases.
First, we will be seeking views from the profession and its clients; firm evidence of impact; and feedback about any areas where it has been challenging to implement the Code, or issues which are not covered adequately. We will do this by way of formal consultation, survey activity, and more in-depth discussions with individual institutions – of differing sizes, in different parts of the sector such as retail and investment banking, asset management and insurance.
Secondly, the evidence will be considered by an independent committee of senior practitioners, audit committee members and other non-executives, with input from the regulators. That committee will make recommendations about whether the Code needs to be amended; or whether the focus needs to be on additional guidance, on assessing performance against its provisions, or on other action to support the profession and raise standards.
We have raised the bar once. Perhaps the time has come to raise it again? The next few months will give us the answer.
This article was first published in October 2016.