AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Risk management in financial services firms may be boosted by progress in implementing new internal audit code

12 May 2014

Governance and risk management in financial services firms may receive a boost by significant progress being made on implementing new guidelines designed to ensure that internal auditors can more effectively identify and report concerns about how risks are being managed, says the Chartered Institute of Internal Auditors (IIA). 

The IIA’s new Code on Internal Audit in financial services was launched last year to help all firms improve their management of risks as they respond to intense public, investor and regulatory pressure to improve corporate governance. The Code is backed by the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA).

A recent survey conducted by the IIA amongst financial services sector heads of internal audit, to assess the extent to which firms are embracing the Code, reveals a high level of engagement with the guidelines at the most senior organisational levels. Compliance with the key recommendations set out in the Code is also high. Over four-fifths (82%) of firms reported that they now only need to make minor changes in order to be fully compliant with the guidelines, while just 16% of Heads of Internal Audit reported the need to make significant improvements.

Survey results in relation to key elements of the Code, reveal:-

  • Access to the board: the Code recommends that the primary reporting line of internal audit departments should be to the board.  For 84% of respondents this is now the case, and only two per cent of heads of internal audit said that they were unlikely to be able to achieve this.  The vast majority (96%) of audit committees were also said to be aware of the new Code, as were an overwhelming proportion (93%) of chief executives. 
  • The scope of internal audit should be unrestricted: while 93% of heads of internal Audit said that their scope was unrestricted, one in ten (11%) noted that capital and liquidity risks, both important risk areas for banks, are not currently within their scope.
  • Internal audit should be adequately resourced, skilled and quality assured, and Chief Internal Auditors should have sufficient standing and authority to challenge the Executive: several heads of internal audit raised concerns about ensuring that their teams were adequately resourced, while just 16% of respondents said that it could be difficult to ensure that they gained sufficient seniority and influence to comply with the Code’s recommendations that they should be represented at the firm’s executive committee level. 
  • Internal audit should assess whether an organisation’s processes and actions are in line with its values, ethics, risk appetites and other policies - 34% of heads of internal audit said the most challenging area of the Code was the enhanced role for internal audit in assessing organisational culture, both in terms of risks and controls and in how it treats customers or behaves in markets.


Dr Ian Peters, Chief Executive of the Chartered Institute for Internal Auditors (IIA) says: “Less than a year since this Code was launched, we can already see several important early signs of success.

“It’s encouraging that so many firms are well on their way towards full compliance and crucially, that there is such strong awareness at the very top of financial services firms.  Engagement from the top is absolutely fundamental to ensuring that internal audit has the resources and clout to do the job properly, and where heads of internal audit are raising concerns about their scope, seniority or their resources, audit committee chairs and other board directors need to ask whether they are meeting the regulators’ expectations on the management of risk and adoption of our code.”

Recognising concerns highlighted in its survey about the role that internal audit can play in providing assurance that a firm’s culture is appropriate, the IIA is planning guidance on this, for use in all sectors, later this year.


Read the full report