2016 financial services code review

The revised financial services code

The review of the Chartered IIA's financial services code was undertaken by an independent committee and concluded in September 2017. The review highlighted the code was fundamentally sound and highly relevant and only modest changes were made. 


In July 2013 the Chartered IIA published a set of recommendations for the financial services sector. Known as the FS code, the recommendations aim to improve the effectiveness of internal audit in the sector.

That code provides UK financial services firms with a sector-specific benchmark against which boards and regulators can assess the effectiveness of their internal audit functions; and which internal audit teams in all parts of the sector can use as a point of reference. It builds on the existing International Standards for best practice in internal audit.

Preliminary research by the institute published in 2014 and 2015 suggested that the code has had a positive initial impact, particularly in relation to the profile, resources and independent status of internal audit in financial services firms.

However, the independent committee which drew up the code recommended that the code should be revisited after two to three years, to provide an opportunity to refine the recommendations, both to reflect evolving practice and implementation expectations; to correct any unintended consequences that may have arisen in the application of the code; and to assess whether, overall, the code has been effective in achieving its objectives.

The review concluded in September 2017 and only modest changes were made, highlighting the sound and relevance of the original code. 

The changes

The clear message from stakeholders was that the code had achieved all or most of its original objectives, and crucially that it had been instrumental in supporting real improvements in internal audit across the sector. It remains both highly relevant and fundamentally sound. There were, however, a few areas where stakeholders and the committee both felt that the code would benefit from modest amendment, either to make explicit points which may not have been clear enough to all, or to underline particular important aspects of best practice.

The updated text published therefore includes some changes, the most significant of which are described below:

  • It makes clear that it is the responsibility of internal audit to come to its own view about how the audit universe for its own organisation should be structured, in the light of the structure and risk profile of the organisation concerned (paragraph 4)
  • It underlines that it is for internal audit to decide (subject to approval by the audit committee) which areas should or need not be covered in the regular audit plan, on the basis of its own assessment of risk (paragraph 4)
  • It emphasises that it is the responsibility of internal audit to assess not only the processes followed by the first and second lines of defence in the organisation, but also the quality of their work, and that the scope of internal audit needs to be reviewed regularly to take account of new and emerging risks (paragraph 6)
  • It requires internal audit to report each year to the audit committee, in the context of its opinion on the overall control environment, on whether the organisation’s framework for risk appetite is being adhered to right across the business (paragraph 6c)
  • It emphasises that, in relation to the culture of the organisation, internal audit needs to look at whether observed behaviours across the organisation are in line with the formally espoused values, ethics, risk appetite and policies of the business (paragraph 6d)
  • It spells out the requirement for internal audit to look at the outcomes of processes (paragraph 6h), not only at their design
  • It says that internal audit’s reporting to the audit committee should include reviewing any relevant post-mortem or ‘lessons learned’ analyses following significant adverse events at an organisation, including the roles of the key actors (paragraph 8)
  • It spells out the requirement for internal audit to evaluate the effectiveness of other functions such as risk management or compliance before deciding to what extent it can take account of their work, either in performing its initial risk assessment or in determining its own level of audit testing (paragraph 11)
  • In addition to the consideration in the annual appraisal by the audit committee chair of the chief internal auditor’s objectivity and independence, it requires this explicitly to be discussed with the audit committee each year after the chief internal auditor has been in post for seven years (paragraph 17)
  • And it makes clear that, whatever the size of a financial services organisation and its internal audit team, the internal audit function should be subject to an independent and objective external assessment at least every five years (paragraph 28).

The committee

The review of the code was led by an independent committee of senior industry figures, with the support of regulators.

The committee was chaired by Mike Ashley, chair of the audit committee of Barclays. It includes senior executives and non-executives from banking, insurance and asset management. The Bank of England/Prudential Regulation Authority, the Financial Conduct Authority and the Financial Reporting Council will all participate as observers.

Committee members:

Mike Ashley, committee chair

Mike is audit committee chair at Barclays, the board of which he joined as a non-Executive director in September 2013. In addition, Mike is chairman of the Government Internal Audit Agency.

Mike was formerly Head of Quality and Risk Management for KPMG Europe LLP (ELLP), which formed part of the KPMG global network, where his responsibilities included the management of professional risks and quality control.

He was a member of the ELLP Board and was also KPMG UK's designated Ethics Partner. Mike has over 20 years’ experience as an audit partner, during which he was the lead audit partner for several large financial services groups, most recently HSBC Holdings and Standard Chartered PLC, and also for the Bank of England.

Tom Deane

Tom Deane became audit director at Tesco Bank in September 2013, and has held the position ever since.

A Finance Professional and Chartered Accountant with twenty nine years’ experience. Currently the Audit Director of Tesco Bank (SMF5) and previous roles include Audit Director Finance at Lloyds Banking Group and eleven years in both Audit and Finance roles at Capital One a fast growing and constantly changing Financial Services Company.

He has a track record of leading Audit and Finance functions and running well controlled processes. His experience also includes implementing a number of new IT systems and leading a significant change program.  

Pam Kaur

Pam Kaur is group head of internal audit at HSBC Holdings plc. Pam was appointed to her current role in April 2013.

Before joining HSBC, Pam was global head of group audit at Deutsche Bank. Other previous roles have included chief financial officer and chief operating officer, restructuring and risk division, at The Royal Bank of Scotland, and group head of compliance and anti-money laundering at Lloyds TSB. She began her career in internal audit at Citibank. 

Pam has an MBA in Finance, and a BCom (Hons) from Punjab University in India. She qualified as a chartered accountant at Ernst & Young.

Brendan Nelson

Brendan Nelson is audit committee chair at RBS, the board of which he joined as a non-executive director in April 2010.

Prior to his role at RBS, Brendan was global chairman, financial services for KPMG. He previously held senior leadership roles within KPMG including as a member of the KPMG UK board from 1999 to 2006 and as vice-chairman from 2006. Brendan also served as chairman of the audit committee of the Institute of Chartered Accountants of Scotland from 2005 to 2008 and as president of the Institute of Chartered Accountants of Scotland from 2013 to 2014.

James Turner

James Turner joined Prudential in 2010 as the Director of Group-wide Internal Audit. During five years in the role James built the stature of the internal audit team and successfully implemented the IIA code for internal audit in financial services.

In his current role of Director of Group Finance James’ principal accountability is to maintain the highest standard of internal and external reporting in terms of integrity, speed, relevance, transparency and quality. This includes management and Board MI and all Group external financial reporting obligations under IFRS, EEV and US GAAP.

Prior to Prudential, James was the Deputy Head of Compliance for Barclays. He also held a number of senior audit roles across the Barclays group.

Julia Wilson

Julia joined 3i in January 2006. She became Group Finance Director with effect from 30 November 2008, having been appointed to the Board of 3i Group plc on 1 October. She is a member of the Executive and Investment Committees.

Julia began her career at Arthur Andersen. After senior tax roles with Hanson plc and Tomkins plc, she became Group Tax Director at Cable & Wireless plc in 2000 and subsequently Group Director of Corporate Finance.

Julia is also a non-executive director of Legal & General Group plc, and a member of the ICAEW (ACA) and the Chartered Institute of Taxation.

In attendance

Stephen Brown

Stephen Brown joined the Bank of England, as head of internal audit, from JP Morgan Chase in 2005. Before joining the Bank, he held a variety of senior internal audit positions with American banks where he specialised in capital markets, international banking and payment systems.  He has extensive international experience gained in Europe, the United States (where he spent five years with Bank One) and the Far East.  He supports the internal audit profession in a variety of fora.  Stephen read physics at Durham University and is a fellow of the Association of Chartered Certified Accountants.

Lalitha Henry

Lalitha Henry is head of internal audit at the FCA. An Australian Chartered Accountant, Lalitha has over 20 years experience in the financial services industry in Australia, Singapore and London.  Lalitha held senior roles in Risk, Compliance, and Internal Audit  in a big four professional services firm,  one of Australia’s big four banks, a leading wealth manager, and financial service regulators in Australia and London.  Lalitha wrote the Treating Customers Fairly strategy paper when she was seconded to the FSA while working in EY London’s Regulatory Practice.  She also wrote a number of articles on Complaints and Treating Customers Fairly which were published in EY’s Financial Services Brief.

Paul George

Paul is Executive Director of the Corporate Governance & Reporting Division at the FRC. Paul joined the FRC in 2004 as director of the Professional Oversight Board. He was Chair of the International Forum of Independent Audit Regulators (IFIAR) from April 2011 to April 2013. He holds a degree in Accountancy and Financial Analysis from Warwick University, qualified as a Chartered Accountant with KPMG in 1985 and was a partner from 1995 until he left the firm in 1999.

Following KPMG, and prior to joining the Financial Reporting Council in 2004, Paul was a main board director of a UK publicly quoted company specialising in helping multi-national companies improve their operational efficiency and the effectiveness of their finance functions.

Dr Ian Peters

As Chief Executive of the Chartered IIA, Dr Ian Peters is responsible for the day to day business of the Institute and acts as its key spokesperson. His role is to lead the executive staff in the delivery of operational performance and the achievement of strategic and business objectives.

In 2015 Ian was awarded an MBE for services to regulatory reform and in recognition of his work as a member of the Government's Regulatory Policy Committee (RPC).

Alisdair McIntosh

Alisdair was Policy & External Relations Director at the Chartered IIA. Through his role, Alisdair led the IIA's policy programme, working closely with the Chief Executive and the Communications Director, to influence business leaders, policy makers, and regulators on internal audit's role and value in corporate governance, risk and internal control.

Content reviewed: 6 October 2017