Dealing with regulators

This guidance will help internal auditors deal with regulators with an appreciation of the regulatory environment and assurance considerations to enhance credibility.

Our Internal Audit Code of Practice states that:

“The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators.” (recommendation 37)

A similar recommendation (27) is included in the Financial Services Code of Practice, an industry where internal audit is very familiar with dealing with regulators. This guidance offers tips on how to practically address this expectation.

Regulation varies widely by sector, as does the style and scope of regulatory bodies. So, while these principles apply universally, judgement will be required as to the optimal approach for a particular organisation in a particular industry.


Top tips

  1. Understand the environment
  2. Consider the impact of the regulatory environment
  3. Build an open, cooperative and constructive working relationship
  4. Develop the credibility of internal audit

Understand the environment

Internal audit teams need to have a good grasp of regulatory requirements in the industry or industries in which they operate. For some this will be core to almost everything that is done. For others it may be a secondary consideration or a partial impact in one area of the organisation. There are many sources of information; the regulators’ websites, internal audit industry networks, publications by professional service advisors, to name a few. It is important to understand both the requirement on the organisation and any specific obligations or expectations on internal audit itself. For international organisations, and those that have part of their value chain in different jurisdictions, this may involve regulators in several countries.

To enable internal audit to really add value, try to go beyond just understanding regulatory requirements, and understand the regulator’s broader agenda and the regulatory objectives.

  • What are the political, economic and social drivers?
  • How does this impact the direction of travel, and what assurance is the regulator looking for to help them meet their objectives?

Any interaction with regulators will be in the context of the overall corporate engagement, so make sure you understand how that engagement is managed.

  • Who in the organisation is responsible for leading the regulatory relationship?
  • What are the touchpoints?
  • What information is provided through regulatory reports or ad-hoc requests?
  • How does the organisation ensure it meets regulatory requirements and identifies emerging expectations? Without this, internal audit cannot effectively consider the impact of the regulatory environment.  

Consider the impact of the regulatory environment

The regulatory environment should be considered in strategic internal audit planning.

In doing this, consider:

  • Specific regulations and how the organisation ensures compliance
  • What others in your network are seeing from regulators
  • The regulatory agenda – what is coming and how prepared is the organisation, and internal audit
  • Current regulatory considerations of your board or audit committee, executives, compliance and legal teams
  • Reports, findings and comments from previous regulatory reviews.

All of this should be incorporated into a risk-based plan. Not all regulatory risks are high, so don’t fall into the trap of thinking just because it’s a regulatory expectation it must be audited. Some regulators do mandate specific audit reviews which could be considered as a separate part of the strategic (annual) audit plan. 

Consider regulatory requirements and the regulatory environment when planning each engagement. How does this affect the different risks identified? Many internal audit teams include a section on regulatory considerations in their planning memoranda or terms of reference – this can provide a useful focus. Audit testing may include steps to give assurance over the compliance processes in the organisation, or substantive tests to directly test compliance; determining the appropriate approach should be done as for any other risk, unless there is a clear requirement or expectation set by the regulator.

When writing findings or reports, consider the regulatory impact of issues being raised and ensure that these, if of sufficient materiality, are clearly articulated. Bear in mind that regulators may read these reports. This doesn’t mean avoiding issues or downplaying them, despite pressure which internal auditors often feel from within their business; but it does reinforce the need for accuracy, clarity and balance.


Assurance implications

Please refer to separate guidance on auditing corporate governance.

Specific to the FS Code updates, internal auditors should consider assurance in relation to:

Annual Report - Narrative Statements

Internal audit can offer valuable assurance to the non-executives over the narrative statements. There is a real desire in the 2018 UK Corporate Governance Code for non-executives to understand how the organisation operates and internal audit has a key role in this.

What role does your function currently have in this space? Which data sets present the highest risk for misreporting? Do the principal risks adequately represent those that the organisation faces? How can assurance be provided without delaying publication?

The FRC has stated its intent to escalate monitoring of practice and reporting. Internal auditors may feel it prudent to prepare themselves and their Boards for this extending beyond financial reporting and audit enforcement procedures into the broader Principles.

Principal risks

Provision 28 states that the board should carry out a robust assessment of the company’s emerging and principal risksand report on them.

Internal audit can provide assurance over the risk management process, including how principal risks are assessed, managed and reported. Many organisations also have risk committees (a requirement in financial services) and internal audit should also consider its assurance over their remit, composition, skills and service quality.

Organisational culture

Principle B states that the board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture. Within this, Provision 2 requires the board to assess and monitor culture, and where it is failing to seek assurance that management has taken corrective action and report on it in the annual report.

Internal audit has a key role in this space. Read more in our guidance on auditing culture.

Workforce voice

Principle E states that the board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.

The ability of the workforce to raise concerns is not new, it is one of the aspects of a good culture, however the 2018 Code does not limit this to financial reporting matters. Audit plans should already provide assurance as required over the effectiveness and efficiency of tools such as whistleblowing programmes.

Within this, Provision 5 specifies that for engagement with the workforce one or more of three approaches should be adopted. Organisations must justify the use of alternatives.

  • a director appointed from the workforce
  • a formal workforce advisory panel
  • a designated non-executive director

Internal audit can review the process by which the decision is made, the information used, the stakeholders involved and the rationale. How has the diversity of the workforce been considered, particularly across geographies and cultures? As with auditing strategy it is not the outcome that is subject to scrutiny but the decision-making process itself.

Risk management

Provision 28 now states that the board should carry out a robust assessment of the company’s emerging and principal risks.

Assurance over the effectiveness of risk management may vary depending on the existence of a 2nd line risk function, its maturity or its integration into the internal audit remit. Regardless, one aspect that should now feature is the process by which emerging risks are identified, assessed/prioritised and managed. Both principal and emerging risks are now required to be reported on publicly, heightening the profile of the robustness of the processes supporting their disclosure.

Board composition

The 2018 Code includes principles and provisions designed to encourage diversity and minimise stagnation of the board.

  • Provision 7 requires conflicts of interest to be identified and addressed
  • Provision 15 addresses the risks of ‘overboarding’ (being on too many boards)
  • Provision19 limits the tenure of the chair (the chair should not remain in post beyond nine years from the date of their first appointment to the board);
  • Principle J promotes diversity by basing appointments on merit, and
  • Principle K requires boards to consider their combination of skills, knowledge and tenure.

Internal audit can provide assurance that the processes in place to comply with these requirements are robust and complied with.


Broader areas of assurance

The five headings of the 2018 UK Corporate Governance Code include many points which internal audit can provide assurance over. The approach taken will vary depending on the sector, type, size and maturity of the organisation. Internal auditors should always consider their competence and where necessary partner with specialists or outsource engagements.

Board leadership and company purpose

  • The organisation is led by an effective board
  • The organisation has a clear and defined purpose, values and strategy
  • Resources are in place enable the delivery of the organisation’s objectives
  • Risks to the achievement of objectives have been identified and a framework of controls is in place to manage and mitigate these risks
  • The Board effectively engages with key stakeholders
  • The culture of the organisation is aligned to the organisation’s values and working practices support this

Division of responsibilities

  • The board is led by an objective Chair, who demonstrates openness, encourages debate and facilitates constructive board relationships
  • There is a balance of executive and non-executive board members
  • Non-executives are appointed to support the role of the board, including to address skills gaps and have sufficient time to undertake this role
  • The remit of the Board is clearly defined and documented
  • Governance advice and support is provided by the Company Secretary

Composition, succession and evaluation

  • There is a robust recruitment and appointment process to the Board. This should be all encompassing and consider skills, experience, time available to commit to the role, diversity, etc
  • Succession planning is regularly considered
  • Board membership is regularly refreshed and the tenure of the Chair is considered as part of this
  • The Board and its committees should comprise of members with a range of skills, experience and knowledge
  • Annual evaluations of the Board as a collective, its committees, the chair and individual directors are undertaken annually. An externally facilitated evaluation should be considered regularly
  • Actions from the various evaluations are identified and addressed within a timely manner
  • The work of the nomination committee is detailed in the annual report

Audit, risk and internal control

  • The independence and effectiveness of internal and external audit are protected via formal and transparent policies and procedures
  • The organisation’s position and prospects are presented in a fair, balanced and understandable manner by the Board
  • Processes and procedures enable the organisation to manage risk, oversee the internal control framework and manage these in line within its agreed risk appetite
  • An effective audit committee is in place
  • The work of the audit committee is included within the annual report
  • Risk management is embedded throughout the organisation and regularly reviewed and reported on

Remuneration

  • Remuneration supports the achievement of the organisation’s objectives
  • Remuneration is used as a leaver to drive the culture of the organisation
  • There are clear and transparent processes for determining remuneration
  • A remuneration committee supports the remuneration process
  • Conflicts of interest are appropriately managed when deciding on remuneration levels
  • Company performance, individual performance and wider circumstances are considered when authorising remuneration outcomes
  • The work of the remuneration committee is included within the annual report

Conclusion

There have been many changes as a result of the update to the Code, with further emphasis placed on the need for good governance. Internal auditors should be aware of the Code and how their organisation responds to its requirements.


Related IIA guidance

Auditing Corporate Governance
Auditing culture
Annual internal audit coverage plans

Risk management
Update to the UK Code

Content reviewed: 6 December 2021