Professional internal audit provides the kind of insights that boards need to make effective decisions. Internal audit provides independent assurance over how well the business is managing its risks, taking advantage of fast-moving opportunities and whether corporate governance processes are operating effectively. In order to do this internal audit teams must be appropriately qualified (ideally, IIA-qualified), experienced, trained, and properly resourced, and work to the IIA Global International Professional Practice Framework (IPPF).
To carry out internal audit’s responsibilities effectively, it is imperative that independence and objectivity are maintained at the highest standard. It is explicitly stated in Attribute Standard 1100 – Independence and Objectivity that,
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
To comply with the standard, internal auditors must understand what independence and objectivity are and what is required in practice. In short, independence and objectivity means that internal auditors and the internal audit activity have, and maintain, the ability to make unbiased judgement and decisions based on the audit activities and facts and that they are free from any internal or external interference or obstruction with functional accountability being to the board, either directly or through an audit committee.
Further interpretation from both Chartered IIA and IIA Global is provided in the Additional Information Section
The Financial services code, updated and published in September 2017, by a committee of representatives from the banking and insurance industry, the Financial Reporting Council, the Prudential Regulation Authority and the Bank of England established by the Chartered IIA further promoted the independence and authority of internal audit; stating that there should be no aspect of the organisation which internal audit should be restricted from looking at as it delivers on its mandate. It specifically called out several factors including adequate seniority and resource planning in order to ensure the independence of the internal audit activity as well as for a review, by the audit committee, where the tenure of the Chief Audit Executive (CAE) exceeds seven years, to ensure independence and objectivity have not been compromised.
The revised version of the UK Corporate Governance Code, July 2018 states that the audit committee should monitor and review the effectiveness of the internal audit activity. In addition, the FS Code requires the audit committee to review and monitor the internal auditor’s independence and objectivity. As such, it remains the view of the Chartered IIA that the UK Corporate Governance Code should further promote internal audit’s independence and objectivity, to support the board on the oversight of risk management, governance and internal control. The Chartered IIA called on the Financial Reporting Council (FRC) to strengthen the UK Corporate Governance Code by specifying, as it does for external auditors, that audit committees should review and monitor internal audit’s independence and objectivity. This has not been specified in the revised version of the Code.
Since the publication of the UK Corporate Governance Code in July 2018 an independent review led by Sir John Kingman concluded in its report to government in December 2018 that the FRC be replaced with an independent statutory regulator, accountable to Parliament, with a new mandate, new clarity of mission, new leadership and new powers. The new regulator is called the Audit, Reporting and Governance Authority (ARGA). One of the FRC’s strategic priorities for 2019/20 is to support the transition to ARGA.
While the FRC’s Guidance on Audit Committees, April 2016 is more specific about the relationship between internal audit and the audit committee, there are areas that have not been incorporated to further strengthen independence and objectivity, such as including:
In an increasingly complex and challenging national and international environment, boards need independent and objective assurance that risks are being managed by the executive, that internal control mechanisms are working effectively, and that the organisation has effective governance. Internal audit, with its detailed knowledge of the organisation’s mission, objectives and operations, is uniquely placed to deliver this.
International best practice calls for the establishment of an internal audit activity reporting either directly to the board or through an audit committee (OECD Principles of Corporate Governance, Basel Committee Principles, and IIA Global Standards). This reporting line offers:
Boards must define the risk appetite of the organisation. They task internal audit to provide assurance that systems and operations are working to deliver outcomes that are in line with the risk appetite, and that mechanisms exist to alert the board to policies or proposals that may conflict with the desired level of risk.
Internal auditors must be free to advise the board, directly or through an audit committee, on risk management, governance and internal control issues, having unrestricted access to all parts of the organisation.
While internal auditors should work closely with the executive to resolve issues that arise in their work, their accountability is to the board, not business management, and they should operate free from interference or obstruction from the business/other functions within the organisation.
Internal audit activities need suitably experienced, qualified and trained staff to produce the best advice and judgments for boards and management. Boards should ensure that internal audit work is sufficiently resourced to allow it to fulfil its mandate, that staff in key positions have a recognised skill set appropriate to their activities, and that staff receive the training and development they need to deal with the increasing challenges organisations are facing.
Internal audit should report at least annually to the board/audit committee on their risk management, governance and internal control work, recognising that it may be referenced in the statement of internal control as part of the organisation’s annual report.
Internal audit should report functionally to the board, where appropriate through the audit committee ie a direct reporting line to the chair of the audit committee, and administratively to the chief executive. Functional reporting includes overseeing ongoing internal audit activity, involvement in the hiring and terminating the CAE, setting the internal audit budget, agreeing at least annually internal audits strategic and operational plans, monitoring the agreed internal audit plan, reviewing on a regular basis eg annually, the internal audit charter, identifying new areas of work, noting recommendations implemented by the executive and ensuring that unresolved issues are addressed.
It should be noted that recommended best practice is for the audit committee to meet at least three times per year.
The board/audit committee should also actively participate in the CAE’s performance evaluation and remuneration process. Where the CAE’s remuneration package includes incentives, these should be linked to the performance of internal audit and not the short-term performance of the organisation. Administrative reporting should not include functions that might undermine objectivity, (eg on remuneration) that might make internal audit beholden to the executive. Further, targeted quality assurance programmes, internal and external, should be considered accordingly to provide further assurance of the independence and objectivity of the internal audit activity.
While most large companies have their own internal audit activity, the FRC UK Corporate Governance Code, only requires companies to have an internal audit activity on a comply or explain basis. Neither the Code, nor its accompanying guidance, specify fully how independence and objectivity of internal audit are to be achieved and maintained.
The Chartered IIA recognises that companies should be given flexibility to establish their internal audit arrangements according to their size and circumstances. But, given the specific terms of the OECD Guidelines (point 6), the IIA International Standards (Standard 1110) and the Basel Principles (page 2). The Chartered IIA believed the FRC Code and Guidance needed to set out in greater detail how independence and objectivity are to be protected which they have not.
It should be recognised that there may be certain situations where the independence and objectivity of the internal audit activity are threatened. Depending on the source of the threat, internal auditors should use the existing internal governance structure to escalate and resolve the conflict or challenges accordingly. The direct reporting line to the chair of the audit committee could provide such route for escalation.
However, if in the unlikely event, that the source of the challenge originated from a level of seniority within the reporting line then whistle-blower procedures may be used. In extreme scenarios where internal audits independence and objectivity are impaired, the internal auditor should be aware of the direct route of whistleblowing to Regulators, for example FCA whistle blowing (https://www.fca.org.uk/firms/whistleblowing).
IIA Global provide further guidance on impairment of independence and objectivity, see Standard 1130 Impairment to Independence or Objectivity, and the implementation guidance associated with the Standard.
IIA Global explicitly requires that the internal audit activity and internal auditors maintain independence and objectivity at all times. Where the Chartered IIA’s supporting guidance is available, the Chartered IIA calls for further clarity and interpretation of specific requirements through the UK Governance Code with regards to the independence and objectivity for internal audit.
IIA International Standards for the Professional Practice of Internal Auditing - Attribute Standards
1100 - Independence and Objectivity
1110 - Organisational Independence
1112 - Chief Audit Executive Roles Beyond Internal Auditing
Guidance on effective internal audit in the financial services sector (FS Code) September 2017 - Independence and authority of internal audit – points 12 - 20
Financial Reporting Council - UK Corporate Governance Code (Revision published in July 2018) - Section 4 - Audit, Risk and Internal Control, Principles M, N, O, Provision 25
Financial Reporting Council - Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (September 2014)
Section 3 - Exercising Responsibilities, Point 27
Section 5 - Monitoring and Review of the Risk Management and Internal Control Systems, Points 39 - 43
Financial Reporting Council – Guidance on Audit Committees (revised in April 2016) - The internal audit processes, Points 45 - 56
The Irish Corporate Governance Annex (Irish Stock Exchange -2019) - Audit Committee 5.1 & 5.2
OECD Principles of corporate governance – VI the responsibilities of the board, Point 6
HM Treasury Corporate governance in central government departments: Code of good practice 2017, Risk Management - Principles 5.1 – 5.11
Principle 1, Oversight of senior management, Point 33
Principle 9, The board and senior management should effectively utilise the work conducted by internal audit functions, external auditors and internal control functions, Point 100.
Principles relating to the supervisory expectations relevant to the internal audit function 1 -15 (Pages 2-3)
Supervisory expectations relevant to the internal audit function:
Directive 2006/43/EC of the European Parliament and of the Council (17 May 2006) - Article 41, Audit Committee, Point 2
© Chartered Institute of Internal Auditors, September 2019