Value: do we need an internal audit code?

In September, after a year-long consultation, the institute published its revised Guidance on Effective Internal Audit in the Financial Services Sector, better known as the financial services code. This code was first launched in 2013 after the global financial crisis, and it built on guidance from the Basel Committee and the US Federal Reserve Bank. It took into account the UK corporate governance system and the complexity of UK financial institutions. The aim was to improve the overall effectiveness of the internal audit function, help internal auditors to protect their organisations from future financial services scandals and restore confidence in the financial system. 

As those in the financial services sector know, the review led to modest amendments, which provided clarity rather than substantial change. The code has received an overwhelmingly positive response, not only from the financial services sector, but also from the profession more widely. Many have suggested that the Chartered IIA should write a similar code for other sectors, or one for all internal auditors.

Corporate governance is high on the political agenda, so there has never been a better time to propose a universal internal audit code. The financial services code was produced after the financial crisis, but we shouldn’t wait for a similar event to highlight the need for a code for all internal auditors. 

The revised code could easily be adapted to apply to internal audit more generally. Many sections encompass principles that the Chartered IIA considers integral to any effective internal audit function, including those on: internal audit’s role and mandate; its scope and priorities; the independence and authority of internal audit; and resources. 

For example, the code states that: internal audit’s scope should be unrestricted; the primary reporting line for the chief internal auditor should be to the chair of the audit committee; and the chief internal auditor should ensure that the audit team has the skills and experience, including technical subject matter expertise, commensurate with the scale of operations and risks of the organisation. These principles are best practice. All internal audit functions, regardless of size, should adhere to them. 

Furthermore, the code comprises voluntary best practice guidelines, meaning that smaller organisations do not have to follow it to the letter. This principles-based approach would be mirrored in any general internal audit version. 

The code consultation revealed that the original provisions were fundamentally sound – 82 per cent of respondents said it had largely or completely achieved its aims. In addition, most said it had enhanced the relevance, profile and reporting lines of internal audit in financial services institutions. A universal internal audit code could increase the profile and effectiveness of internal audit across many more organisations. 

Lastly, an internal audit code would complement the International Professional Practices Framework (IPPF); it would be principles-based guidance, where the IPPF provides the underpinning Standards. Together, these could form a strong backbone for internal audit functions to provide assurance that their organisation’s risk management, governance and internal control processes operate effectively.

This article was first published in October 2017.