The Chartered Institute of Internal Auditors (IIA) UK and Ireland says a draft new Internal Audit Code of Practice launched earlier this month represents one of the most significant developments for the internal audit profession in recent years. 

One of the most significant changes is the proposal to publish a single Code of Practice, instead of publishing separate Codes of Practice for financial services and non-financial services. This will raise the bar across the whole internal audit profession, as the Chartered IIA strives to ensure businesses are identifying, managing and mitigating their risks effectively.

Under the revised Code currently under consultation, internal audit will be expected to support any board disclosure on the company’s risk management and internal control framework. This is in line with the new requirements from 1 January 2026 for an Internal Controls Declaration as part of the revised UK Corporate Governance Code. 

Essential support

ICAEW’s Director of Corporate Governance and Stewardship, Peter van Veen says: “It’s essential that the internal audit function is able to support the board in that declaration, because it will invariably be the internal audit function that will need to implement the risk management and internal control frameworks.” 

The Code also requires all internal audit functions to include capital and liquidity risks and the risks arising from poor customer treatment in their priorities, in response to corporate failures outside of financial services linked to these risks.

Meanwhile, environmental sustainability, climate change risks and social issues; technology and data risks; and financial crime, economic crime, and fraud will also now fall under the internal audit priority remit. The new Code also calls on the internal audit remit to include supporting the board to assess the organisational culture, not just the risk and control culture.

“These are all areas that audit committees are expected to provide oversight over in terms of risk management and the accuracy of the company’s reporting. So, it makes perfect sense for the internal audit function to provide support to the audit committee on those areas,” Van Veen adds. 

Going too far

However, Van Veen says there is a risk of scope creep and that internal audit functions will take on too much. For example, internal audit should certainly give assurance to the board that risk management processes are robust and that the organisation is capturing the right risks rather than necessarily taking on this functional role. 

“We wouldn’t expect the internal audit function to be capturing all risk data, but it should certainly be checking that the data is being captured and is being properly escalated.”

Van Veen also says he isn’t entirely convinced it makes sense to expand the role of internal audit to include assessment of organisational culture. “In the case of culture audits, internal audit should certainly work with human resources to understand what data is being captured and how, rather than necessarily looking to capture the data itself.” 

The revision of the Internal Audit Code of Practice is being led by an independent committee of senior audit industry leaders with the involvement of senior figures from key regulators. 

The committee is chaired by Sally Clark, Audit Committee Chair of Citigroup Global Markets, who is also a non-executive director on several boards including AIB (UK) and Bupa.

Resilience, culture, honesty

Clark says: “Whether it’s supporting greater financial resilience, assessing corporate culture, or keeping companies honest on their ESG commitments, the internal audit profession needs to be bold and courageous to remain relevant and deliver value. Through this Code, we want to empower internal audit to have a key voice and opinion as it helps to protect the assets, reputation, and sustainability of our organisations.” 

Anne Kiem OBE, Chief Executive of the Chartered IIA, says a dynamic and forward-looking internal audit profession was needed to support boards in navigating an increasingly complex and multifaceted risk landscape.

“We have seen too many incidents of the impact of insufficient attention to audit and corporate governance that sadly can lead to corporate collapse. Our Code is a practical guide for how internal audit can raise the bar and how organisations can make the best use of their internal audit function.”

The eight-week consultation on the draft code will close on 8 May. The final version of the revamped Internal Audit Code of Practice will be published by September 2024, in time for the new Global Internal Audit Standards and the revised UK Corporate Governance Code, which both come into effect on 1 January 2025.