Financial services code
This code, published in July 2013, was produced by an independent committee established by the IIA, with representation and observers from leading banks, insurers, the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England.
Read on to view the code and further guidance. Visit policy to find out how the code was developed.
Role and mandate of internal audit
Scope and priorities of internal audit
Interaction with risk management, compliance and finance
Independence and authority of internal audit
Relationships with regulators
Audio & video
Download the code (pdf)
1. The primary role of Internal Audit should be to help the Board and Executive Management to protect the assets, reputation and sustainability of the organisation.
It does this by assessing whether all significant risks are identified and appropriately reported by management and the Risk function to the Board and Executive Management; assessing whether they are adequately controlled; and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls. The role of Internal Audit should be articulated in an Internal Audit Charter, which should be publicly available.
2. The Board, its Committees and Executive Management should set the right 'tone at the top' to ensure support for, and acceptance of, Internal Audit at all levels of the organisation.
3. Internal Audit's scope should be unrestricted
There should be no aspect of the organisation which Internal Audit should be restricted from looking at as it delivers on its mandate. Whilst it is not the role of Internal Audit to second guess the decisions made by the Board, its scope should include information presented to the Board as discussed further below.
4. Risk assessments and prioritisation of Internal Audit work
In setting its scope, Internal Audit should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. Internal audit's independent view should be informed, but not determined, by the views of management or the Risk function. In setting its priorities and deciding where to carry out more detailed work, Internal Audit should focus on the areas where it considers risk to be higher.
Internal Audit should make a risk-based decision as to which areas within its scope should be included in the audit plan - it does not necessarily have to cover all of the potential scope areas every year.
5. Internal Audit planning
Internal Audit plans, and material changes to Internal Audit plans, should be approved by the Audit Committee. They should have the flexibility to deal with unplanned events to allow Internal Audit to prioritise emerging risks. Changes to the audit plan should be considered in light of Internal Audit's ongoing assessment of risk.
6. Scope of Internal Audit
Internal Audit should include within its scope the following areas:
a. Internal governance
Internal Audit should include within its scope the design and operating effectiveness of the internal governance structures and processes of the organisation.
b. The information presented to the Board and Executive Management for strategic and operational decision making
Internal Audit should include within its scope the processes and controls supporting strategic and operational decision making. It should assess whether the information presented to the Board and Executive Management fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.
c. The setting of, and adherence to, risk appetite
Internal Audit is not responsible for setting the risk appetite but should assess whether the risk appetite has been established and reviewed through the active involvement of the Board and Executive Management. It should assess whether risk appetite is embedded within the activities, limits and reporting of the organisation.
d. The risk and control culture of the organisation
Internal Audit should include within its scope the risk and control culture of the organisation. This should include assessing whether the processes (e.g. appraisal and remuneration), actions (e.g. decision making) and "tone at the top" are in line with the values, ethics, risk appetite and policies of the organisation.
Internal Audit should consider the attitude and assess the approach taken by all levels of management to risk management and internal control. This should include Management's actions in addressing known control deficiencies as well as Management's regular assessment of controls.
e. Risks of poor customer treatment, giving rise to conduct of reputational risk
Internal Audit should evaluate whether the organisation is acting with integrity in its dealings with customers and in its interaction with relevant markets. Internal Audit should evaluate whether Business and Risk Management are adequately designing and controlling products, services and supporting processes in line with customer interests and conduct regulation.
f. Capital and liquidity risks
Internal Audit should include within its scope the management of the organisation's capital and liquidity risks.
g. Key corporate events
Examples of key corporate events could include significant business process changes, introduction of new products and services, outsourcing decisions and acquisitions/divestments. Internal Audit should decide if these events are sufficiently high risk to warrant involvement on a realtime basis. In doing so, Internal Audit will evaluate whether the key risks are being adequately addressed (including by other forms of assurance, e.g. third party due diligence) and reported. Internal Audit should also assess whether the information being used in such key decision making is fair, balanced and reasonable, and whether the related procedures and controls have been followed.
h. Outcomes of processes
Internal Audit should evaluate the design and operating effectiveness of the organisation's policies and processes. As part of this evaluation, Internal Audit should consider whether the outcomes achieved by the implementation of these policies and processes are in line with the objectives, risk appetite and values of the organisation.
7. Internal Audit should be present at, and issue reports to the appropriate governing bodies, including the Board Audit Committee, the Board Risk Committee and any other Board Committees as appropriate. The nature of the reports will depend on the remits of the respective governing bodies.
8. Internal Audit's reporting to the Board Audit and Risk Committees should include:
- a focus on significant control weaknesses and breakdowns together with a robust root-cause analysis;
- any thematic issues identified across the organisation;
- an independent view of Management's reporting on the risk management of the organisation, including a view on Management's remediation plans (which might include restricting further business until improvements have been implemented) highlighting areas where there are significant delays; and
- at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation's risk profile.
9. Effective Risk Management, Compliance and Finance functions are an essential part of an organisation's corporate governance structure. Internal Audit should be independent of these functions and be neither responsible for, nor part of, them.
10. Internal Audit should include within its scope an assessment of the adequacy and effectiveness of the Risk Management, Compliance and Finance functions. In evaluating the effectiveness of internal controls and risk management processes, in no circumstances should Internal Audit rely exclusively on the work of Risk Management, Compliance or Finance. Internal Audit should always examine, for itself, an appropriate sample of the activities under review.
11. Internal Audit should exercise informed judgement as to when to place reliance on the work of Risk Management, Compliance or Finance. To the extent that Internal Audit places reliance on the work of Risk Management, Compliance or Finance, that should only be after a thorough evaluation of the effectiveness of that function in relation to the area under review.
12. The Chief Internal Auditor should be at a senior enough level within the organisation (normally expected to be at Executive Committee or equivalent) to give him or her the appropriate standing, access and authority to challenge the Executive. Subsidiary, branch and divisional Heads of Internal Audit should also be of a seniority comparable to the senior management whose activities they are responsible for auditing.
13. Internal Audit should have the right to attend and observe all or part of Executive Committee meetings and any other key management decision making fora.
14. Internal Audit should have sufficient and timely access to key management information and a right of access to all of the organisation's records, necessary to discharge its responsibilities.
In organisations in which the Internal Audit function is outsourced, the Chair of the Audit Committee should identify an appropriate individual responsible for ensuring that the Chief Internal Auditor has sufficient and timely access to key management information and decisions.
15. The primary reporting line for the Chief Internal Auditor should be to the Chairman of the Audit Committee. In exceptional circumstances, the Board may wish for Internal Audit to report directly to the Chairman of the Board, or delegate responsibility for the reporting line to the Chairman of the Board Risk Committee, provided the Chairman of the Board Risk Committee and all the other Committee members are independent Non-Executive Directors. The reporting line must avoid any impairment to Internal Audit's independence and objectivity.
16. The Audit Committee should be responsible for appointing the Chief Internal Auditor and removing him/her from post.
17. The Chairman of the Audit Committee should be accountable for setting the objectives of the Chief Internal Auditor and appraising his/her performance. It would be expected that the objectives and appraisal would take into account the views of the Chief Executive. This appraisal should consider the independence, objectivity and tenure of the Chief Internal Auditor.
18. The Chairman of the Audit Committee should be responsible for recommending the remuneration of the Chief Internal Auditor to the Remuneration Committee. The remuneration of the Chief Internal Auditor and Internal Audit staff should be structured in a manner such that it avoids conflicts of interest, does not impair their independence and objectivity and should not be directly or exclusively linked to the short term performance of the organisation.
19. Subsidiary, branch and divisional Heads of Internal Audit should report primarily to the Group Chief Internal Auditor, while recognising local legislation or regulation as appropriate. This includes the responsibility for setting budgets and remuneration, conducting appraisals and reviewing the audit plan. The Group Chief Internal Auditor should consider the independence, objectivity and tenure of the subsidiary, branch or divisional Heads of Internal Audit when performing their appraisals.
20. If Internal Audit has a secondary Executive reporting line, this should be to the CEO in order to preserve independence from any particular business area or function and to establish the standing of Internal Audit alongside the Executive Committee members.
21. The Chief Internal Auditor should ensure that the audit team has the skills and experience commensurate with the risks of the organisation. This may entail training, recruitment, secondment from other parts of the organisation or co-sourcing with external third parties.
22. The Chief Internal Auditor should provide the Audit Committee with a regular assessment of the skills required to conduct the work needed, and whether the Internal Audit budget is sufficient to allow the function to recruit and retain staff with the expertise and experience necessary to provide effective challenge throughout the organisation and to the Executive.
23. The Audit Committee should be responsible for approving the Internal Audit budget and, as part of the Board's overall governance responsibility, should disclose in the annual report whether it is satisfied that Internal Audit has the appropriate resources.
24. The Board or the Audit Committee is responsible for evaluating the performance of the Internal Audit function on a regular basis. In doing so it will need to identify appropriate criteria for defining the success of Internal Audit. Delivery of the audit plan should not be the sole criterion in this evaluation.
25. Internal Audit should maintain an up-to-date set of policies and procedures, and performance and effectiveness measures for the Internal Audit function. Internal Audit should continuously improve these in light of industry developments.
26. Internal Audit functions of sufficient size should develop a quality assurance capability, with the work performed by individuals who are independent of the delivery of the audit. The individuals performing the assessments should have the standing and experience to meaningfully challenge Internal Audit performance and to ensure that Internal Audit judgements and opinions are adequately evidenced.
The scope of the quality assurance review should include Internal Audit's understanding and identification of risk and control issues, in addition to the adherence to audit methodology and procedures. This may require the use of resource from external parties. The quality assurance work should be risk-based to cover the higher risks of the organisation and of the audit process. The results of these assessments should be presented directly to the Audit Committee at least annually.
27. Where the Internal Audit function is outsourced to an external provider, Internal Audit's work should be subject to the same quality assurance work as the in-house functions. The results of this quality assurance work should be presented to the Audit Committee at least annually for review.
28. In addition, the Audit Committee should obtain an independent and objective external assessment at appropriate intervals. This could take the form of periodic reviews of elements of the function, or a single review of the overall function. The conformity of Internal Audit with the recommendations included in this guidance should be explicitly included in this evaluation. The Chairman of the Audit Committee should oversee and approve the appointment process for the independent assessor.
29. Nature and purpose of the relationship
The Chief Internal Auditor, and other senior managers within Internal Audit, should have an open, constructive and co-operative relationship with regulators which supports sharing of information relevant to carrying out their respective responsibilities.
30. The Chartered Institute of Internal Auditors should consider developing additional guidance on the application and implementation of the recommendations detailed in this guidance. In particular, less well established areas for Internal Audit activity, such as auditing culture and outcomes would benefit from additional guidance.
31. This Committee recommends that the Chartered Institute of Internal Auditors should review this guidance after a period of two to three years, and consider amending or updating the guidance as required.
Comparison between the FS code and the International Standards
The Chartered Institute of Internal Auditors and IIA Global have jointly produced a comparative guide, outlining the relationship between the Financial Services Code and the International Standards. This is presented in two ways:
International Standards mapped to the FS code (pdf) - lists the relevant Standards, indicating how the FS code maps to them.
Come back soon
Further guidance will be published here soon.
Other policy initiatives
Details of the evolving story of the code and other policy initiatives are in the Policy section.
Thanks to EY for permission to use their audio/visual material.
Can't see the video above? Then watch it on YouTube.
Listen to the complete audio track from the video.