Teammate Analytics free trial ACL - Providing Value with GRC - May 2015 Organisations need to be doing more

Embedding effective internal audit in the financial services sector

Embedding effective IA report

We conducted a survey of heads of internal audit to find out what progress they were making on implementing the IIA's financial services code. We also conducted interviews with respondents to get a more detailed picture of the action they had taken, their progress and the challenges they faced.

Here is the report, produced with kind support from Protiviti. You can download the report pdf here. 


Executive summary
Survey findings
Identifying the scale of the task
Key compliance areas
Challenges ahead
Auditing culture
Other practical challenges
View from an audit committee chair, case studies


The Chartered Institute of Internal Auditors (IIA) published its Financial Services Code, "Effective Internal Audit in the Financial Services Sector", in July last year. It contained guidance developed by an independent committee made up of nonexecutives, executives and internal audit practitioners, chaired by Roger Marshall,Audit Committee Chair of a FTSE 100 insurance group and a Director at the Financial Reporting Council.

The two financial regulators welcomed the Code, adding that they would use it to assess the effectiveness of internal audit in carrying out their supervisory judgement. The Code is therefore not just a valuable tool for internal auditors. It is a key input into the way boards, audit committees and executives will be expected to use and interact with their internal audit functions.

Since its introduction we have been asked how financial institutions are faring in using the Code. How far have they got in implementing the various recommendations, what sort of support have they received from their stakeholders, which parts of the Code are relatively simple to implement and which are more difficult?

This report represents a snapshot of where financial services organisations have got to, based on a survey of Heads of Internal Audit who are members of the IIA. Its purpose is to give insights into the extent to which financial services institutions are embracing the Code's recommendations, the opportunities the Code presents, and the challenges it poses.

I hope these are useful to audit committees, senior executives and Heads of Internal Audit as they consider the effectiveness of their internal audit functions. This report has been produced with support from Protiviti, whom I would like to thank. 

Dr Ian Peters
Chief Executive
April 2014 

Executive summary

The Chartered Institute of Internal Auditors (IIA) launched its Financial Services Code,Effective internal audit in the financial services sector, in July 2013. In this report we publish the findings of a survey of IIA member Heads of Internal Audit (HIAs) in the financial services sector carried out in November 2013 to provide a snapshot of progress towards implementation of the Code. We would like to thank Protiviti for their generous support for this project.

Forty-four HIAs responded to the survey. We also conducted follow-up interviews with one-third of respondents and did two in-depth interviews. Participants in the survey represent key parts of the UK financial services sector, including, banking, insurance, building societies and credit unions, and asset management.

Our survey and interviews reveal that there are clear concerns about proportionality on the implementation of the Code. No two institutions are the same, and clearly there needs to be a dialogue between organisations and the regulators about individual circumstances, in particular relating to size. Many of the Code's recommendations require boardroom buy-in, implementation of which should be championed by the chair of the audit committee (such as reporting lines, adequacy of resources or HIA remuneration). The chair will need to be prepared to defend arrangements that do not match the Code's guidance.

The challenges regarding the audit of culture apply across the spectrum of financial services institutions. So too do those relating to resourcing. Small firms are constrained by having small internal audit teams, while larger firms have also indicated that they have to present a reasonable business case as to why internal audit may need more people/outsourced services.

These are however early days, and the IIA is working to identify good practice in implementing the Code in a range of institutions. Part of this work will be to establish how the regulators are responding to the sorts of issues identified in this survey.

The key findings of our survey are:

• Awareness of the Code is high (audit committees 96%, chief executives 93%, other senior executives 91%, board 80%). 

• Over four-fifths of respondents (82%) believe that they only need to make "minor changes" to follow the Code fully.

• Some 16% say it will be difficult to ensure that the HIA has the appropriate standing called for in the Code, i.e. at executive committee level. 

• Around one in seven (14%) foresees problems trying to ensure that internal audit's scope includes strategic and operational information. 

• Only 2% say they are unlikely to be able to make their primary reporting line to the chair of the audit committee, and 14% their secondary reporting line to the CEO. 

• Auditing culture is seen as the most difficult area of the Code (recommendation 6d) with 34% saying it poses significant challenges. 

• Several HIAs have concerns about adequate resourcing to meet the recommendations of the Code.

• Some also question the degree of internal audit's involvement in assessing management's decision-making and attitudes to risk. 

• Some HIAs have questioned how they can assessthe adequacy of their approach against the Code.


This report discusses progress within UK Financial Services sector institutions in implementing the recommendations of the Institute's voluntary Code, "Effective Internal Audit in the Financial Services Sector." Following a survey of Heads of Internal Audit (HIAs). We conducted follow-up telephone interviews with 15 respondents to provide more information and context. Both attributed and anonymised comments are included within this report. We also conducted two in-depth case studies.

The report aims to provide valuable insights into the extent to which financial services institutions are embracing its recommendations, the opportunities and the challenges it presents. These should prove useful to audit committees, senior executives and HIAs as they consider the effectiveness of their internal audit functions as a part of good corporate governance.

The Code was published in July 2013 following an extensive consultation across the financial services sector, which was conducted by an independent committee, under the leadership of Roger Marshall, Chair of the Audit Committee of Old Mutual, the London based insurer. It consists of 29 recommendations identifying best practice for organisations and their internal audit departments to provide the necessary degree of independence, objective oversight, challenge and assurance to enable boards and senior management to make better informed strategic and operational decisions.

There were 44 responses to the survey. While this report is not a comprehensive analysis of the adoption of the Institute's Code it gives a good indication of what is happening on the ground. Its findings and conclusions suggest that, in under a year since its launch, the Code is playing an important part in those organisations which responded to our survey, supporting boards and audit committees to harness their internal audit functions more effectively as they strive to demonstrably increase their emphasis on good corporate governance and the management of risk.

The commitment of boards, audit committees and senior executives to embrace the Code is crucial both within individual organisations and across the financial services sector as a whole. As Roger Marshall stated in his opening comments to the Code: "Whilst we have addressed our recommendations to the Chartered Institute of Internal Auditors, we appreciate that many of them can only be implemented by boards, audit committees and executive management". So it is pleasing to see that over 90% of respondents to our survey indicated that their audit committees and chief executives were aware of the Code.

The Institute is very appreciative of all those who took the time to respond to our survey and particularly those who provided us with detailed insights during one-to-one interviews.

Survey findings

What is your financial services sector organisation?

The chart below shows the spread of respondents across the different parts of the financial services sector.

Type of


Percentage of survey participants

Retail bank


Wholesale bank


Building society


Credit union


Asset management


Financial adviser




Other (please specify)



What is the staff size of your organisation?

This relates to the number of people  that are in full-time employment. If part of a group, the part for which you are responsible.

The chart below shows the respondents' profile by size of organisation. Some 32% work in financial institutions with between 250-1,000 employees.

Staff size diagram

Are the following aware of the FS code?

The vast majority (93%) of HIAs were aware of the Code prior to its publication, with two-thirds (66%) hearing about its development from the Institute. Nearly a quarter (23%) of respondents heard about the development of the Code from regulators such as the Financial Conduct Authority or the Prudential Regulation Authority, or from one of the professional services firms that provide their organisations with external audit and/or internal audit services.

Even though the Code had only been published a few months prior to the survey being carried out, nearly all (96%) respondents say that their audit committees are aware of the Code, as are their chief executives (93%) and other senior executives (91%). Boardroom awareness, however, is a little lower (80%), though still high.

FS code awareness diagram

HIAs have responded favourably to the Code. Chris Field, Head of Internal Audit at Yorkshire Building Society, says: "I think that the FS Code is at exactly the right spot. If you look at the various crises and scandals that have hit the industry in recent years, it is evident that internal audit needs to ask more questions about the culture and leadership of the organisation."

Nicola Rimmer, Vice-President, Internal Audit at Barclays Bank, who is the current IIA President, says that "the Code spells out more clearly what the expectations of internal audit should be, and how the profession can provide more assurance in areas that have traditionally not been part of internal audit's remit, such as business culture."

Identifying the scale of the task

  • Over 90% of respondents (93%) have performed a gap analysis to measure their level of compliance with the Code, with 39% confident that their practices reflect those in the Code
  • One-third (34%) of respondents are reviewing individual aspects of their organisational structures and practices to ensure that internal audit covers each of the Code's recommendations

Most HIAs have already started benchmarking their activities and structure against the Code's recommendations. Almost two-fifths of respondents (39%) say that, having performed a gap analysis between the Code and the internal audit function's existing practices, they are "confident" that their current approach reflects the practices put forward in the Code.

One-third (34%) of respondents say that their approach is to review individual aspects of their organisational structures and practices to ensure that internal audit covers each of the Code's recommendations, while 9% say that they are reviewing their whole structure and approach to internal audit with a view to implementing wide-ranging reform reflecting the Code. None say that they comply fully, and 7% said that they had yet to undertake a gap analysis.

Over four-fifths (82%) of HIAs believe that they only need to make "minor changes" to follow the Code fully, while one in six respondents (16%) say that they need to make "significant" improvements. Only one respondent said that his/her department needed to make "material improvements" to fully meet the Code.

In the post-survey interviews, the majority of HIAs who responded said that they were confident that they will fully comply by the end of 2014. The response of Christine Wareham, Head of Internal Audit at United Trust Bank, was fairly typical: "Where small gaps against full compliance are identified, these areas will be added to our internal audit plan and annual training plan to ensure that we meet the required level of compliance by the end of 2014."

What action is your organisation taking to implement the provisions of the FS Code?

Action the organisation
is taking


Percentage of survey respondents

None - we are yet to undertake a gap analysis


None - we already comply


We have performed a gap analysis between the Code and our practices. We are confident that our current approach reflects the practices put forward in the
FS Code


We are reviewing our structure and approach to internal audit with a view to implementing wide-ranging reform reflecting the FS Code recommendations


We are reviewing individual aspects of our organisational structures practices to ensure we cover each of the recommendations of the FS Code


Other (please specify)


Key compliance areas

  • All HIAs believe they report to the appropriate governing body
  • Nearly nine out of ten (89%) say that internal audit is independent of risk management, compliance and finance
  • Over four-fifths (84%) say that their primary reporting line is to the audit committee chair

There are several areas where the Code is already strongly complied with. For example, 100% of HIAs say that they report to the appropriate governing body (recommendation 7), while nearly all (93%) say that internal audit's scope is unrestricted (recommendation 3) and that audit plans are flexible and that any changes are approved by the audit committee (recommendation 5). A similar number (93%) say that internal audit has access to key management information (recommendation 14).

Nearly nine out of ten HIAs (89%) say that internal audit is independent of risk management, compliance and finance (recommendation 9), and that they assess the adequacy of these departments (recommendation 10). The same percentage indicates that they ensure that the internal audit team has the necessary skills and resources to do its job effectively (recommendation 21). The vast majority of respondents (89%) also say that the HIA and other senior team members have an open, constructive and co-operative relationship with regulators (recommendation 29).

Furthermore, 84% say that they comply with recommendation 1 which states that internal audit supports the board on risk management, governance, and internal control (the remainder say that they foresee "no difficulty" in complying), while the same percentage says that the board, its committees and executives set the right tone at the top to support internal audit (recommendation 2). 84% also say that internal audit's scope includes capital and liquidity risks (recommendation 6f) and that the HIA's primary reporting line is to the chair of the audit committee (or similar role) as per recommendation 15.

Challenges ahead

  • Some 16% of respondents say it will be difficult to ensure that the HIA has appropriate standing, i.e. at executive committee level
  • Around one in seven (14%) foresee problems trying to ensure that internal audit's scope includes strategic and operational information
  • Some 14% cannot ensure that their secondary reporting line will be to the CEO, but only 2% foresee difficulty in being able to report directly to the chair of the audit committee as their primary reporting line 

While over 80% believe that they only need to make minor changes, there are areas that represent a challenge to HIAs and their audit committees. Nearly one in ten believe that they will have difficulty trying to comply with recommendation 19 of the Code, which states that HIAs should ensure that subsidiary, branch and divisional heads of internal audit report to the group head of internal audit directly, as opposed to the chief executive or finance director. 

Just over 10% of respondents say that they will have problems complying with recommendations 4, 6c, 13 and 17 of the Code. These refer to; internal audit forms an independent view of key strategic risks, assesses how they are managed and has a risk-based audit approach (4); internal audit's scope includes the setting of and adherence to risk appetite (6c); internal audit has the right to attend/observe executive committee meetings (13); and that the audit committee chair is responsible for tasking and appraising the head of internal audit (17).

On auditing risk appetite, one HIA says: "Auditing risk appetite is a challenging area, we will need to assess employees' understanding of the organisation's risk appetite, and how that relates to the job that they do. Assessing how someone's work and approach reflects the organisation's risk appetite will be perhaps more subjective than some internal auditors would like."

Another adds: "I am unsure whether internal audit should be assessing the 'tone at the top' itself, or checking whether there are processes in place to check the tone at the top and the organisation's risk appetite. Can internal audit assess whether the values being communicated are the right ones?"

Around one in seven respondents (14%) foresees problems trying to ensure that internal audit's scope includes strategic and operational information (6b of the Code). The same percentage also believe that they may not be able to ensure that their secondary reporting line will be to the CEO, or that they will be able to report directly to the chair of the audit committee as their primary reporting line (recommendation 20 of the Code).

One HIA is concerned that the recommendations regarding the reporting line may be too prescriptive. "While my first reporting line is to the chair of the audit committee, my second line is to the CFO - not the CEO. This arrangement suits our organisation and does not impact the work of internal audit or our independence. Another HIA says: "It is not practicable for us to report to the chief executive in our organisation."

Some 16% of respondents also say that it is going to be difficult to gain boardroom support for the head of internal audit getting the appropriate seniority (at executive committee level - recommendation 12). As one HIA says: "I think some organisations will struggle to comply with recommendation 12. Small internal audit functions are unlikely ever to achieve that kind of relationship with executive management, especially if the legacy has always been that internal audit does not have that kind of relationship. Trying to elevate internal audit's status would just look self-serving."

The same percentage of respondents (16%) say that it will be difficult to get boards to support making the audit committee chair responsible for recommending the HIA's remuneration structure (recommendation 18). Currently only one-quarter say that this happens. One respondent explains: "The chair of the audit committee does not have the experience, expertise, or time to appraise the head of internal audit's work and remuneration."

Auditing culture

  • Auditing culture is seen as the most difficult area of the Code, with around one-third saying it poses significant challenges
  • However some HIAs are already making progress on how to approach the audit  of culture.

Recommendations 6d and 6e represent the most difficult area of the Code - over one-third (38%) of HIAs say they will pose significant challenges. These cover the organisation's culture, both risk and control culture and the way it treats its customers or behaves in markets. One respondent said that he/she welcomed the IIA's work in this area and would wait until further guidance was issued before conducting a culture audit.

Chris Field at Yorkshire Building Society says that: "recommendations 6b and 6d go right to the heart of what the board does and not many internal audit departments are currently positioned to provide robust assurance in these areas. As a head of internal audit you will need to have personal credibility and the function will need to be really championed and supported to be able to follow these recommendations. The Code aims very high here and I doubt that many organisations can presently say that they genuinely follow them."

David Barnes, Chief of Staff, Global Internal Audit at HSBC, says that: "auditing risk culture is going to be a real challenge for many internal audit functions. It requires auditors to adopt a different approach and mindset and you need an enhanced set of skills and understanding to do it effectively. Also, how do you carry out a culture audit? Do you do a specific culture audit, or should it be embedded within the scope of normal audit work, or be a combination of the two? Should you also seek to link cultural issues through root-cause analysis?"

Some are already making progress about how they can approach a culture audit. Barclays' Nicola Rimmer says that while internal audit "needs to know as a profession what 'business culture' is supposed to look like before we try to audit it", adding that "one of the steps that we have already taken is to set up a rating system to see how managers deal with risks - such as the speed at which they implement recommendations, and the time it takes for them to report new risks. Currently, this is at a business unit level and is reported quarterly. We plan to incorporate this approach into every audit we carry out." She also says that "the timing of the Code's launch has tied in neatly with a corporate-wide review of the bank's culture and practices, so it has not been a problem to get management onside."

Recognising the difficult issues surrounding the audit of culture, the IIA is conducting an analysis, looking at case studies, and preparing guidance that will issue shortly.

 Other practical challenges

  • Several HIAs worry about getting adequate resources to meet the recommendations of  the Code
  • Some have asked about the degree of involvement by internal audit in assessing management's decision-making and  attitudes to risk
  • Others have asked about how they should assess the adequacy of their approach  against the Code 

HIAs have also identified other issues that might affect their ability to comply with the Code. High among concerns is the question of resourcing - ensuring that internal audit is adequately resourced to be capable of providing the depth of assurance required to help the board, and also to self-assess itself against the expectations of the Code (in particular, recommendation 21 on resourcing). 

As one head of internal audit points out: "Compliance with the Code requires internal audit to do more self-assessment, and this means allocating resources to check on our own performance." On the other hand an audit head who is the sole internal auditor within the organisation and does not currently buy-in other internal audit services says that "while there are some challenges to reach full compliance it is mainly an issue of efficient use of resources rather than any reticence from the board or management." 

Ian Boston, Head of Internal Audit at Leek United Building Society, says that: "the Code helps raise the profile of internal audit in the boardroom and sets out a refreshed scope and remit of the internal audit function. One of the key challenges for me is trying to find the right balance of meeting the spirit of the Code as far as we can with the skills and resources available to us in the context of the size of the organisation. For example, the Code says that quality assurance has to be built within the internal audit function and that this can be proportionate with regards to the function's size. When you are just a team of two people, how do you do this satisfactorily?" 

Some HIAs have also raised concerns about the regulators' approach to the Code, and the lack of clear guidance from them on how they wish to
see it applied. 

One HIA says: "Another potential challenge is whether the regulator will push for even more from internal audit in 12-18 months' time. For the FCA and PRA, some aspects of the financial services sector still fall short of what is reasonably expected to restore trust and to ensure that customers are treated fairly. If the regulators decide that internal audit could and should do more to provide better assurance, this could have a significant impact on our work and our resourcing." 

While the UK's regulators only officially endorse their own guidance, they are supportive of the Financial Services Code. For example, Andrew Bailey, Deputy Governor of the Bank of England and Chief Executive of the Prudential Regulation Authority has said that the release of new guidance "raises the bar" for the profession, making its safeguarding role more explicit. He also said that non-executive directors and executives would need to get behind the reform to make it work. 

Martin Wheatley, Chief Executive of the Financial Conduct Authority said when the Code was launched that the new guidelines would play a vital part in restoring market confidence. "Internal auditors must be front and centre of ensuring their firm acts with integrity and will be alert to potential risks. Sadly, we have seen what happens in both the retail and wholesale markets when the right arrangements are not in place," he said. 

The IIA has raised with the PRA and FCA the issue of how the regulators will interpret the Code, and in particular how they will look at proportionality. This is an issue that individual organisations will need to discuss with their supervisors in order to get a clear view of what the Code means for them. 

Several HIAs have asked about the degree of internal audit involvement in assessing management's decision-making and attitudes to risk. Anne Obey, Divisional Director, Group Internal Audit at Nationwide Building Society, says that while "the balance of the Code feels right, particularly in expecting internal audit to be prepared to challenge management at a strategic level, it is important that in these situations internal audit continues to maintain very clearly its independence from business decisions on management of risk: management are the experts in their own business and must take full ownership of those decisions." Paul Boyle, Aviva Chief Audit Officer, who sat on the Committee that drafted the Code, confirms that internal audit's role should stop at the boardroom door. "Internal audit should not challenge decisions of the board but ensure that the board is satisfied that the correct processes have been followed and the information used in reaching their decisions is fair, balanced and reasonable." 

More generally, several HIAs have asked how audit functions should assess the adequacy of their approach against the Code. Some are worried about the risk that organisations might follow "tick-box" compliance, rather than trying to understand what the Code intends. 

"If you consider compliance with the Code is easy, then you need to ask yourselves whether the board and other stakeholders are getting the right level of support from internal audit," says James Turner, Group Head of Internal Audit at Prudential. "The Code requires us to push the internal audit function constantly to improve the level and breadth of insight it is providing to the board: it should not be used to reassure yourself that your audit function is doing everything right already."


While the findings represent a sample of views from HIAs in financial services institutions, one can draw some broader conclusions.

  • The good news is that all who responded to the survey have embraced the Code and are in the process of assessing the areas where they do or do not follow its recommendations. Many believe that they are close to meeting all the recommendations and that they will not face any significant barriers in achieving this. Furthermore, the overwhelming majority of audit committees, chief executives and senior executives are both aware of the Code and support internal audit's drive to improve and self-assess whether the audit function can live up to the Code's spirit.
  • However, there are challenges. Enhanced assurance may require a greater commitment in time, money and people, and internal audit functions - like any other department - will need to justify a business case for more resources. Small internal audit departments are more likely to struggle to implement all the Code's recommendations - at least in the short-term.
  • A number of internal audit functions are likely to require more time to implement the Code's recommendations. In some cases audit heads may face a hard decision as to whether they are able to follow particular recommendations. However, it is worth pointing out that the introduction to the Code makes clear that it is written in the context of a "reasonable sized company" and that "smaller companies and branches may need to make modifications to the detail of the principles whilst complying with their spirit", referring to size, risk profile, internal organisation, and nature and scope of activities. It is to be expected that the regulators will take note of this and will engage in a dialogue with firms about where, in some areas for some institutions, compliance with the Code may not  be appropriate.
  • The call to audit culture represents a new and significant shift in focus for most HIAs. A significant proportion of respondents cite this as the toughest recommendation to implement, principally because it requires a degree of subjectivity, and may not previously have been part of the function's specific remit. However, several HIAs have already taken steps to provide greater assurance in this area, assess its risks, and make culture a part of their routine audit work. Others say that culture has always been an element in their individual audits, but has not been identified as such, and needs to be pulled together to help form an overall view. The Institute will publish guidance on the issue later this year.
  • Implementing the Code's recommendations does not however just require leadership from internal audit. As the UK regulators have pointed out, boards also have a responsibility for ensuring that the Code is followed as closely as possible and that the organisation is getting the best out of its internal audit department. Given the high level of awareness of the Code in boardrooms it is evidently already enhancing the level and quality of the dialogue between HIAs and their audit committees, and should also start to raise the profile and standing of internal audit among members of the executive.
  • The challenge for internal audit now is to raise its game in response to the requirements of the Code and the expectations that this is generating.

View from an audit committee chair

Jim Pettigrew, Chair of the Audit Committee at Aberdeen Asset Management.

"The IIA's Financial Services Code is a welcome document to help give boards, regulators and investors a better appreciation of what internal audit does, and how its work impacts positively upon the organisation and its corporate governance. It will be a useful guide for executives so that they know what to expect from the function, in terms of management information and management assurance.

While the Code will clarify how internal audit can provide better and deeper assurance, it will also create some new challenges. Chief among these is the issue of auditing culture, which takes internal audit away from its core area of examining facts, to looking more subjectively at the way the organisation is run, its risk appetite, and how well the "tone at the top" is communicated and acted upon by everyone else throughout the business.

While the Code encourages internal audit functions to re-evaluate the work they do and examine new areas, there is a danger that some internal auditors may fail to understand these new areas or take the wrong approach, which could risk their credibility and core competencies being called into question.

There is no doubt that the Code will raise the profile of internal audit in the boardroom, and backing from the financial regulator will only enhance that. But internal audit should not regard the Code as a "box-tick" manual to ensure compliance. The Code is as much a guide for audit committees to better understand the assurance behind the management information that they receive."

Case study 1 

Nick Collins, Head of Internal Audit at Virgin Money

We have been very clear since we entered the market as a new challenger bank that we are committed to doing things in a better way, and that has enabled us to adapt our internal audit structure and approach to reflect the best practice principles enshrined in the Code. 

Since Virgin Money acquired the retail banking business from Northern Rock two years ago, it has totally revitalised and changed the business, including the introduction of the necessary governance and operational changes needed to integrate the two businesses. As a result, it has been a fairly straightforward process to make the necessary changes to comply with the spirit of the Code. 

The process has also been made easier by having the support of the executive team and the board. Our chief executive and audit committee immediately saw the benefits in complying with a code of practice that has regulatory backing, and one that is aligned to our quest to build a better bank. They also appreciate the greater clarity around the role of internal audit, and the value and assurance we can bring to the organisation, particularly in terms of supporting effective risk management. 

While we comply with the vast majority of the Code's recommendations already, our gap analysis has made us consider in particular the level of skills and capabilities we have in our audit team. The Code requires organisations to have good, experienced auditors that can perform deeper audits in more challenging and judgemental areas. This inevitably brings the need to grow the capability in our team and consider the specialist skills needed to effectively deliver the increased expectations. And with the Code adding weight, the audit committee is fully supportive of providing the resources to strengthen the team. 

As one may expect, there are some parts of the Code that are likely to take more time to comply with: the scoping issues around auditing culture is an obvious one. This is new territory for the profession, and there is a need for further practical guidance to support the Code in this area. We have also spent time discussing what the responsibilities of the audit committee are under the Code, as there are several recommendations that require the audit committee to take the lead. We will continue to work through the audit committee and take the time needed to fully understand what is required in practice for full compliance to be achieved.

Case study 2

Paul Marshall, Group Head of Internal Audit at Old Mutual

In my view the Code is a very positive step and the recommendations set out what a board and a regulator would expect from a good internal audit function. The Code is not about compliance necessarily - it is more about what internal audit should do to position itself properly within the organisation, to provide the right level of assurance and to help keep the company safe, including providing assurance on management information to help the board with strategic decision-making. 

While the chair of our audit committee, Roger Marshall, was solidly behind us adopting the Code (he actually chaired the IIA committee on its development), the executives needed to fully appreciate the reasons why the Code was necessary given that they considered our internal audit function to be "fit for purpose" following the findings of an external quality review. The explanatory notes which came with the final version of the Code were particularly helpful in explaining that the specific items contained in the various recommendations - such as those under recommendation 6 with regards to internal audit's scope, auditing culture and the organisation's risk appetite - did not necessarily need to feature on the plan of audit activity for every year. 

We already follow most of the recommendations within the Code, but there are some challenges. Internal audit has already started to look at how to audit culture and risk attitudes, and through working with the chief risk officer and HR to develop and apply a risk and control culture framework comprising 50 specific characteristics, we now have a consistent basis for an assessment of the risk and control culture of each of the major business units within the group. We aim to develop this further, enabling us to monitor trends over time. 

More broadly, there are some elements that are likely to pose problems for HIAs. For example, to strictly comply with recommendations 17 and 18 regarding the appraisal and remuneration of the head of internal audit would require a non-executive to perform what is in essence an executive responsibility. A likely solution - certainly in our organisation - is for performance management to be led by the chief executive with input from the chair of the audit committee.

Recommendations 12 and 13 about whether internal audit has appropriate authority with the executive and the right to attend executive meetings may also pose problems. The key issue for me is whether the internal audit function is informed promptly of key issues happening in the organisation and has the flexibility and agility to become involved quickly where needed. Speaking personally, my preference would be to earn the right to be invited to executive meetings because of the contribution I can make as the chief internal auditor, rather than it being required through a code that says that I should have the right to attend.

Download PDF