New draft code for internal audit in banks and financial services
11 February 2013
The UK financial services sector's approach to managing risk and internal control is set for a boost from a new draft code for internal auditors published today, says the Chartered Institute of Internal Auditors (IIA).
The draft code has been developed in response to concerns from regulators and other stakeholders that expectations of internal audit have been too low. The proposed code aims to ensure internal audit functions more effectively protect their organisations from problems of the sort which impact the public purse, and damage reputations and confidence in the financial system.
The draft code has been produced by a committee established by the IIA and chaired by Roger Marshall, Audit Committee chair at several companies including insurer Old Mutual, with representation and observers from leading banks, insurers, the Financial Services Authority and the Bank of England.
The draft code builds on guidance recently issued by the Basel Committee and the US Federal Reserve Bank, but has been designed to take account of the UK corporate governance system and of the size and complexity of financial institutions in the UK. It includes recommendations that:
- Internal audit's primary role is clearly stated as helping to protect the assets, reputation and sustainability of their organisation.
- The scope of internal audit should be unlimited - internal auditors should not be barred from assessing the management of any risk in any part of the business.
- Internal audit should assess whether the organisation's processes and actions are in line with its values, ethics, risk appetite and policies.
- To ensure its independence and authority the primary reporting line of internal audit should be to the chairman of the board of directors, not to the chief executive.
- Internal audit should be adequately resourced, skilled and quality assured.
Once finalised, the new code will provide UK financial services firms with a sector-specific benchmark against which boards and regulators can assess the effectiveness of their internal audit functions.
Roger Marshall said: "The new code is an important contribution to strengthening internal audit's role in improving the management of risk, in response to the financial crisis and more recent examples of failure to exercise proper control.
"Our aim is to encourage internal auditors to obtain a consistently wide view across the range of risks within their organisations and exert greater influence in ensuring that those risks are managed throughout the financial services sector. This will help clarify internal audit's role in relation to, for example, the quality of information on which boards base their decisions, or whether the risks associated with key decisions such as on takeovers, are properly managed."
Dr Ian Peters, chief executive of the Chartered Institute of Internal Auditors said: "The proposed guidelines complement the existing international internal audit standards which are set by the Global Institute of Internal Auditors. However, the code will for the first time provide UK financial services sector-specific guidance. It is now vitally important that the sector provides its feedback on the draft code to ensure that it can support internal audit to perform its role to full effect. I look forward to receiving the committee's final recommendations and proposed code of practice following this consultation."