In January 2020, the UK Institute of Internal Auditors (IIA) published its Internal Audit Code of Practice (the code). The guidance works alongside the existing International Professional Practices Framework (IPPF) standards and is applicable for all corporates and charity organisations.
The code is a welcome addition to existing good practice guidance and it’s positive for the profession and organisations to see debate on the role and positioning of internal audit. The intention is that it will replicate the success of the IIA’s previous guidance for financial services in promoting the increased effectiveness and impact of internal audit. Martin Gardner and Eddie Best summarise the key areas and next steps.
The new guidance from the IIA is positive
Updates from the consultation draft last year are positive, particularly recognising the code should be applied proportionately and in context for each organisation, dependant on factors such as size, structure and risk profile. There is also useful clarification of the distinction between management responsibilities and the role of internal audit.
Many code sections build on existing guidance, but there are key areas for internal audit functions and audit committees to focus on to define their response and approach. Responses should also be considered in light of the recently issued Brydon report which also has implications for the role of internal audit .
Some areas of the code will be a significant change and potentially require additional investment for a number of organisations. Audit committees need to carefully consider how they will respond to achieve the right balance between realising benefits and ensuring their approach is proportionate and tailored.
What are the key elements of the new Internal Audit Code of Practice?
A challenging element of the code for some will be in relation to the independence and authority of internal audit (section E). The principles and recommendations will require collaboration with boards and executive management, particularly:
“Internal audit should have the right to attend and observe all or part of executive committee meetings and any other key management decision-making fora.” (section E.20)
“If internal audit has a secondary reporting line, this should be to someone who promotes, supports and protects internal audit’s independent and objective voice. Ordinarily this should be the CEO in order to preserve independence”. (section E.27)
The scope of internal audit has also been clarified (section B) to confirm that it should cover processes and internal controls supporting strategic and operational decision-making. This includes assessments of ‘tone at the top’, adherence to the organisation’s risk appetite and whether observed behaviours are in line with espoused values and ethics.
Internal audit should also include within its scope an assessment of the adequacy and effectiveness of second-line control functions (section D), such as finance, treasury, HR, compliance, legal, health and safety, and risk management. These are all areas where internal audit can add value to the management of risk and achieving strategic goals. Key aspects to consider are the capability of internal audit teams to effectively deliver in these more specialist areas, as well as business receptiveness to internal audit extending into these areas.
What should audit functions do now?
Organisations should review the IIA code and perform a gap analysis. Taking a proportionate approach, organisations need to consider developing their function and approach to reflect latest guidance, while continuing to support wider strategic goals and management requirements. When implementing the changes, organisations should consider the interaction between internal audit and the first and second lines of defence, typically by mapping across the three lines. Most importantly, the code should not be viewed as a compliance exercise, but as a tool to encourage debate and thinking, improve standards and support internal audit as a valued business partner.