Internal Audit Financial Services Code of Practice

Guidance on effective internal audit in the financial services sector

This code, first published in July 2013, was produced by an independent committee established by the IIA, with representation and observers from leading banks, insurers, the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England.

The code was reviewed and published in September 2017 with only modest changes. 

In January 2021, the code was revised for a third time and renamed the ‘Internal Audit Financial Services Code’. This latest version updates the Financial Services Code by harmonising it with our previously published ‘Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors’.

Read on to view the code and further guidance.

Context
Role and mandate of internal audit
Scope and priorities of internal audit
Reporting results
Interaction with risk management, compliance and finance
Independence and authority of internal audit
Resources
Quality Assessment and Improvement Programme (QAIP)
Relationships with regulators
Relationship with external audit
Wider considerations
Associated guidance
Further reading
Download the code (pdf)

Context

The Internal Audit Financial Services Code of Practice aims to enhance the overall effectiveness of internal audit, and its impact, within organisations operating in the financial services sector in the UK and Ireland.

Its recommendations can be regarded as a benchmark of good practice against which organisations can assess their internal audit function.

The Code is principles based and written in the context of a company operating within the UK and Ireland regulated financial services sector. The Code should be applied proportionately, and therefore smaller organisations should apply the principles on which the Code is based in light of their size, risk profile and internal organisation and the nature, scope and complexity of their operations.

Role and mandate of internal audit 

The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organisation.

It does this by assessing whether all significant risks are identified and appropriately reported by management and the risk function to the board and executive management; assessing whether they are adequately controlled; and by challenging executive management to improve the effectiveness of governance, risk management and internal controls. The role of internal audit should be articulated in an internal audit charter, which should be publicly available.

The board, its committees and executive management should set the right ‘tone at the top’ to ensure support for, and acceptance of, internal audit at all levels of the organisation.

Scope and priorities of internal audit

Internal audit’s scope should be unrestricted

There should be no aspect of the organisation which internal audit should be restricted from looking at as it delivers on its mandate. Whilst it is not the role of internal audit to second guess the decisions made by the board and its committees, its scope should include information presented to the board and its committees as discussed further below.

Risk assessments and prioritisation of internal audit work

In setting its scope, internal audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the organisation. It should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. Internal audit’s independent view should be informed, but not determined, by the views of management or the risk function. In setting out its priorities and deciding where to carry out more detailed work, internal audit should focus on the areas where it considers risks to be higher. Internal audit should make a risk-based decision as to which areas within its scope should be included in the audit plan – it does not necessarily have to cover all of the scope areas every year. Its judgement on which areas should be covered in the audit plan, and on the frequency and method of audit cycle coverage, should be subject to approval by the audit committee.

Internal audit coverage and planning

Internal audit plans, and material changes to internal audit plans, should be approved by the audit committee. They should have the flexibility to deal with unplanned events to allow internal audit to prioritise emerging risks. Changes to the audit plan should be considered in light of internal audit’s ongoing assessment of risk.

Scope of internal audit

The scope of internal audit’s work should be regularly reviewed to take account of new and emerging risks. Where relevant, internal audit should assess not only the process followed by the organisation’s first and second lines, but also the quality of their work. As a minimum, internal audit should include within its scope the following areas:

• Internal governance

Internal audit should include within its scope the design and operating effectiveness of the internal governance structures and processes of the organisation.

• The information presented to the board and executive management for strategic and operational decision-making

Internal audit should include within its scope the processes and controls supporting strategic and operational decision making. It should assess whether the information presented to the board and executive management, fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.

• The setting of, and adherence to, the risks the entity is willing to accept (risk appetite)

Internal audit is not responsible for setting the risk appetite but should assess whether the risk appetite has been established and reviewed through the active involvement of the board and executive management. It should assess whether risk appetite is embedded within the activities, limits and reporting of the organisation; and it should report annually to the audit and risk committees its conclusions on whether the organisation’s risk appetite framework is being adhered to.

• The risk and control culture of the organisation

Internal audit should include within its scope the risk and control culture of the organisation. This should include assessing whether the processes (e.g. appraisal and remuneration), actions (e.g. decision making), ‘tone at the top’ and observed behaviours across the organisation are in line with the espoused values, ethics, risk appetite and policies of the organisation. Internal audit should consider the attitude and assess the approach taken by all levels of management to risk management and internal control. This should include management’s actions in addressing known control deficiencies as well as management’s regular assessment of controls.

• Risks of poor customer treatment, giving rise to conduct or reputational risk

Internal audit should evaluate whether the organisation is acting with integrity in its dealings with customers and in its interaction with relevant markets. Internal audit should evaluate whether business and risk management is adequately designing and controlling products, services and supporting processes in line with customer interests, protection of customer data and conduct regulation.

• Capital and liquidity risks

Internal audit should include within its scope the modelling and management of the organisation’s capital and liquidity risks, including the process for establishing and maintaining scenario analysis (stress testing) in relation to major risk categories, and recovery plans related to economic shocks.

• Key corporate events

Examples of key corporate events could include significant business process changes, introduction of new products and services, outsourcing decisions and acquisitions/ divestments. Internal audit should decide on a timely basis if these events are sufficiently high risk to warrant involvement. In doing so, internal audit will evaluate whether the key risks are being adequately addressed (including by other forms of assurance, e.g. due diligence) and reported. Internal audit should also assess whether the information being used in such key decision making is fair, balanced and reasonable, and whether the related procedures and controls have been followed.

Outcomes of processes

Internal audit should evaluate the design and operating effectiveness of the organisation’s policies and processes. In doing so, it should not adopt a ‘tick box’ approach based purely on the design of processes and controls, and should always consider the actual outcomes which result from their application, assessed against the espoused values, ethics, risk appetite and policies of the organisation 

Reporting results

Internal audit should be present at, and issue reports to the appropriate governing bodies, including the board audit committee, the board risk committee and any other board committees as appropriate. The nature of the reports will depend on the remits of the respective governing bodies.

Internal audit’s reporting to the board audit, board risk and any other board committees should include:

• a focus on significant control weaknesses and breakdowns together with a robust root-cause analysis. Internal audit’s reports should identify owners, accountabilities and timescales for each management action
• any thematic issues identified across the organisation
• an independent view of management’s reporting on the risk management of the organisation, including a view on management’s remediation plans (which might include restricting further business until improvements have been implemented), highlighting areas where there are significant delays
• a review of any post-mortem and ‘lessons learned’ analysis if a significant adverse event has occurred at an organisation (for example, a regulatory breach). Any such review should assess both the role of the first and second lines and internal audit’s own role
• at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, and its conclusions on whether the organisation’s risk appetite framework is being adhered to, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation’s risk profile.

Interaction with risk management, compliance and finance

Effective risk management, compliance and finance functions are an essential part of an organisation’s corporate governance structure. Internal audit should be independent of these functions and be neither responsible for, nor part of, them.

Internal audit should include within its scope an assessment of the adequacy and effectiveness of the risk management, compliance and finance functions. In evaluating the effectiveness of internal controls and risk management processes, in no circumstances should internal audit rely exclusively on the work of risk management, compliance or finance. Internal audit should always examine, for itself, an appropriate sample of the activities under review

Internal audit should exercise informed judgement as to what extent it is appropriate to take account of relevant work undertaken by others, such as risk management, compliance or finance in either its risk assessment or determination of the level of audit testing of the activities under review. Any judgement which results in less intense internal audit scrutiny should only be made after an evaluation of the effectiveness of that function in relation to the area under review.

Independence and authority of internal audit

The chief audit executive should be at a senior enough level within the organisation (normally expected to be at executive committee or equivalent) to have the appropriate standing, access and authority to challenge the executive. Subsidiary, branch and divisional heads of internal audit should also be of a seniority comparable to the senior management whose activities they are responsible for auditing

Internal audit should have the right to attend and observe all or part of executive committee meetings and any other key management decision making fora. This enables internal audit to understand better the strategy of the business, key business issues and decisions, and to adjust internal audit priorities where appropriate. It also facilitates a better working relationship with executive committee members.

Internal audit should have sufficient and timely access to key management information and a right of access to all of the organisation’s records, necessary to discharge its responsibilities.

In organisations in which the internal audit function is outsourced this Code still applies, and the chief audit executive should always be employed directly by the organisation to ensure they have sufficient and timely access to key management information and decisions.

The primary reporting line for the chief audit executive should be to the chair of the audit committee.

The audit committee should be responsible for appointing the chief audit executive and removing him/her from post.

The chair of the audit committee should be accountable for setting the objectives of the chief audit executive and appraising his/her performance at least annually. It would be expected that the objectives and appraisal would take into account the views of the chief executive.

This appraisal should consider the independence, objectivity and tenure of the chief audit executive. Where the tenure of the chief audit executive exceeds seven years, the audit committee should explicitly discuss annually the chair’s assessment of the chief audit executive’s independence and objectivity.

The chair of the audit committee should be responsible for recommending the remuneration of the chief audit executive to the remuneration committee. The remuneration of the chief audit executive and internal audit staff should be structured in a manner that avoids conflicts of interest, does not impair their independence and objectivity and should not be directly or exclusively linked to the short term performance of the organisation.

Subsidiary (including ring-fenced bank), branch and divisional heads of internal audit should report primarily to the Group chief audit executive, while recognising local legislation or regulation as appropriate. This includes the responsibility for setting budgets and remuneration, conducting appraisals and reviewing the audit plan. The Group chief audit executive should consider the independence, objectivity and tenure of the subsidiary, branch or divisional heads of internal audit when performing their appraisals.

If internal audit has a secondary executive reporting line, this should be to the CEO in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members

Resources

The chief audit executive should ensure that the audit team has the skills and experience, including technical subject matter expertise, commensurate with the scale of operations and risks of the organisation. This may entail training, recruitment, secondment from other parts of the organisation or co-sourcing with external third parties.

The chief audit executive should provide the audit committee with a regular assessment of the skills required to conduct the work needed, and whether the internal audit budget is sufficient to recruit and retain staff or procure other resources with the expertise, experience and objectivity necessary to provide effective challenge throughout the organisation and to the executive.

The audit committee should be responsible for approving the internal audit budget and, as part of the board’s overall governance responsibility, should disclose in the annual report whether it is satisfied that internal audit has the appropriate resources.

Quality Assessment and Improvement Programme (QAIP)

The board or the audit committee is responsible for evaluating the performance of the internal audit function on a regular basis. In doing so it will need to identify appropriate criteria for defining the success of internal audit. Delivery of the audit plan should not be the sole criterion in this evaluation.

Internal audit should maintain an up-to-date set of policies and procedures, and performance and effectiveness measures for the internal audit function. Internal audit should continuously improve these in light of industry developments.

Internal audit functions of sufficient size should develop a quality assurance and improvement programme, with the work performed by individuals who are independent of the delivery of the audit. The individuals performing the assessments should have the standing and experience to meaningfully challenge internal audit performance and to ensure that internal audit judgements and opinions are adequately evidenced. The scope of the QAIP review should include internal audit’s understanding and identification of risk and control issues, in addition to the adherence to audit methodology and procedures. This may require the use of resource from external parties. The quality assurance work should be riskbased to cover the higher risks of the organisation and of the audit process. The results of these assessments should be presented directly to the audit committee at least annually.

Where the internal audit function is outsourced to, or co-sourced with, an external provider, internal audit’s work should be subject to the same QAIP work as the in-house functions. The results of this QAIP work should be presented to the audit committee at least annually for review. Chief audit executives should report regularly to the audit committee on the actions or progress implementing the outcomes of the review.

In addition, the audit committee should obtain an independent and objective external quality assessment at appropriate intervals, irrespective of the size of the organisation. This could take the form of periodic reviews of elements of the function, or a single review of the overall function. In any event, the internal audit function as a whole should as a minimum be subject to a review at least every five years, as set out in the International Professional Practices Framework (IPPF) for internal audit. The conformity of internal audit with this guidance should be explicitly included in this evaluation. The chair of the audit committee should oversee and approve the appointment process for the independent assessor.

The external quality assessment should consider and report on compliance with this Code as well as with the International Professional Practices Framework (IPPF) and International Standards for the Professional Practice of Internal auditing (‘the IIA Standards’)

Relationships with regulators

The chief audit executive, and other senior managers within internal audit, should have an open, constructive and co-operative relationship with regulators which supports sharing of information relevant to carrying out their respective responsibilities.

Relationship with external audit

The chief audit executive and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.

Wider considerations

The Chartered Institute of Internal Auditors should commission further independent reviews of this guidance at least every five years, in the light of further experience, with a view to deciding whether any further changes are required.

Associated guidance

This series of guidance pulls together further information and resources to help you implement the revised financial services code.

Annual governance, risk and control assessments
This guidance sets out a framework to enable the internal audit practitioner to fulfil requirements under paragraph 8 and 6c of the revised Code. 

Auditing new product development
Understand how to audit new products and provide assurance that new risks are being mitigated. 

Bank’s capital and liquidity – auditing ICAAP and ILAAP
Assessing both the governance and adequacy of your organisations ICAAP and ILAAP are discussed in this piece of guidance.  

Internal audit effectiveness
How to ensure that your internal audit function is effective and meeting the requirements under the FS Code and IIA Standards.

Outcomes of processes
One method to test the outcomes, rather than outputs, of processes.

Retrospective reviews
What are adverse events, and what should internal audit be doing?

Risk assessments and prioritisation of internal audit work
Methods to segment the audit universe and provide assurance to your audit committee that your team is covering all critical issues. 

Further reading

Comparison between the FS code and the International Standards

The Chartered Institute of Internal Auditors and IIA Global have jointly produced a comparative guide, outlining the relationship between the Financial Services Code and the International Standards.  This is presented in two ways: