This guidance will help internal auditors deal with regulators with an appreciation of the regulatory environment and assurance considerations to enhance credibility.
Our Internal Audit Code of Practice states that:
“The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators.” (recommendation 37)
A similar recommendation (27) is included in the Financial Services Code of Practice, an industry where internal audit is very familiar with dealing with regulators. This guidance offers tips on how to practically address this expectation.
Regulation varies widely by sector, as does the style and scope of regulatory bodies. So, while these principles apply universally, judgement will be required as to the optimal approach for a particular organisation in a particular industry.
Internal audit teams need to have a good grasp of regulatory requirements in the industry or industries in which they operate. For some this will be core to almost everything that is done. For others it may be a secondary consideration or a partial impact in one area of the organisation. There are many sources of information; the regulators’ websites, internal audit industry networks, publications by professional service advisors, to name a few. It is important to understand both the requirement on the organisation and any specific obligations or expectations on internal audit itself. For international organisations, and those that have part of their value chain in different jurisdictions, this may involve regulators in several countries.
To enable internal audit to really add value, try to go beyond just understanding regulatory requirements, and understand the regulator’s broader agenda and the regulatory objectives.
Any interaction with regulators will be in the context of the overall corporate engagement, so make sure you understand how that engagement is managed.
The regulatory environment should be considered in strategic internal audit planning.
In doing this, consider:
All of this should be incorporated into a risk-based plan. Not all regulatory risks are high, so don’t fall into the trap of thinking just because it’s a regulatory expectation it must be audited. Some regulators do mandate specific audit reviews which could be considered as a separate part of the strategic (annual) audit plan.
Consider regulatory requirements and the regulatory environment when planning each engagement. How does this affect the different risks identified? Many internal audit teams include a section on regulatory considerations in their planning memoranda or terms of reference – this can provide a useful focus. Audit testing may include steps to give assurance over the compliance processes in the organisation, or substantive tests to directly test compliance; determining the appropriate approach should be done as for any other risk, unless there is a clear requirement or expectation set by the regulator.
When writing findings or reports, consider the regulatory impact of issues being raised and ensure that these, if of sufficient materiality, are clearly articulated. Bear in mind that regulators may read these reports. This doesn’t mean avoiding issues or downplaying them, despite pressure which internal auditors often feel from within their business; but it does reinforce the need for accuracy, clarity and balance.
Please refer to separate guidance on auditing corporate governance.
Specific to the FS Code updates, internal auditors should consider assurance in relation to:
Internal audit can offer valuable assurance to the non-executives over the narrative statements. There is a real desire in the 2018 UK Corporate Governance Code for non-executives to understand how the organisation operates and internal audit has a key role in this.
What role does your function currently have in this space? Which data sets present the highest risk for misreporting? Do the principal risks adequately represent those that the organisation faces? How can assurance be provided without delaying publication?
The FRC has stated its intent to escalate monitoring of practice and reporting. Internal auditors may feel it prudent to prepare themselves and their Boards for this extending beyond financial reporting and audit enforcement procedures into the broader Principles.
Provision 28 states that the board should carry out a robust assessment of the company’s emerging and principal risks, and report on them.
Internal audit can provide assurance over the risk management process, including how principal risks are assessed, managed and reported. Many organisations also have risk committees (a requirement in financial services) and internal audit should also consider its assurance over their remit, composition, skills and service quality.
Principle B states that the board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture. Within this, Provision 2 requires the board to assess and monitor culture, and where it is failing to seek assurance that management has taken corrective action and report on it in the annual report.
Principle E states that the board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.
The ability of the workforce to raise concerns is not new, it is one of the aspects of a good culture, however the 2018 Code does not limit this to financial reporting matters. Audit plans should already provide assurance as required over the effectiveness and efficiency of tools such as whistleblowing programmes.
Within this, Provision 5 specifies that for engagement with the workforce one or more of three approaches should be adopted. Organisations must justify the use of alternatives.
Internal audit can review the process by which the decision is made, the information used, the stakeholders involved and the rationale. How has the diversity of the workforce been considered, particularly across geographies and cultures? As with auditing strategy it is not the outcome that is subject to scrutiny but the decision-making process itself.
Provision 28 now states that the board should carry out a robust assessment of the company’s emerging and principal risks.
Assurance over the effectiveness of risk management may vary depending on the existence of a 2nd line risk function, its maturity or its integration into the internal audit remit. Regardless, one aspect that should now feature is the process by which emerging risks are identified, assessed/prioritised and managed. Both principal and emerging risks are now required to be reported on publicly, heightening the profile of the robustness of the processes supporting their disclosure.
The 2018 Code includes principles and provisions designed to encourage diversity and minimise stagnation of the board.
Internal audit can provide assurance that the processes in place to comply with these requirements are robust and complied with.
The five headings of the 2018 UK Corporate Governance Code include many points which internal audit can provide assurance over. The approach taken will vary depending on the sector, type, size and maturity of the organisation. Internal auditors should always consider their competence and where necessary partner with specialists or outsource engagements.
There have been many changes as a result of the update to the Code, with further emphasis placed on the need for good governance. Internal auditors should be aware of the Code and how their organisation responds to its requirements.
Auditing Corporate Governance
Annual internal audit coverage plans
Risk management
Update to the UK Code