ICAEW.com works better with JavaScript enabled.

Updated internal audit code to boost corporate governance

Author: ICAEW Insights

Published: 26 Mar 2024

Revised Internal Audit Code of Practice aims to empower internal audit by acting as a practical guide to supporting board disclosure on risk management and internal control frameworks.

The Chartered Institute of Internal Auditors (IIA) UK and Ireland says a draft new Internal Audit Code of Practice launched earlier this month represents one of the most significant developments for the internal audit profession in recent years. 

One of the most significant changes is the proposal to publish a single Code of Practice, instead of publishing separate Codes of Practice for financial services and non-financial services. This will raise the bar across the whole internal audit profession, as the Chartered IIA strives to ensure businesses are identifying, managing and mitigating their risks effectively.

Under the revised Code currently under consultation, internal audit will be expected to support any board disclosure on the company’s risk management and internal control framework. This is in line with the new requirements from 1 January 2026 for an Internal Controls Declaration as part of the revised UK Corporate Governance Code. 

Essential support

ICAEW’s Director of Corporate Governance and Stewardship, Peter van Veen says: “It’s essential that the internal audit function is able to support the board in that declaration, because it will invariably be the internal audit function that will need to implement the risk management and internal control frameworks.” 

The Code also requires all internal audit functions to include capital and liquidity risks and the risks arising from poor customer treatment in their priorities, in response to corporate failures outside of financial services linked to these risks.

Meanwhile, environmental sustainability, climate change risks and social issues; technology and data risks; and financial crime, economic crime, and fraud will also now fall under the internal audit priority remit. The new Code also calls on the internal audit remit to include supporting the board to assess the organisational culture, not just the risk and control culture.

“These are all areas that audit committees are expected to provide oversight over in terms of risk management and the accuracy of the company’s reporting. So, it makes perfect sense for the internal audit function to provide support to the audit committee on those areas,” Van Veen adds. 

Going too far

However, Van Veen says there is a risk of scope creep and that internal audit functions will take on too much. For example, internal audit should certainly give assurance to the board that risk management processes are robust and that the organisation is capturing the right risks rather than necessarily taking on this functional role. 

“We wouldn’t expect the internal audit function to be capturing all risk data, but it should certainly be checking that the data is being captured and is being properly escalated.”

Van Veen also says he isn’t entirely convinced it makes sense to expand the role of internal audit to include assessment of organisational culture. “In the case of culture audits, internal audit should certainly work with human resources to understand what data is being captured and how, rather than necessarily looking to capture the data itself.” 

The revision of the Internal Audit Code of Practice is being led by an independent committee of senior audit industry leaders with the involvement of senior figures from key regulators. 

The committee is chaired by Sally Clark, Audit Committee Chair of Citigroup Global Markets, who is also a non-executive director on several boards including AIB (UK) and Bupa.

Resilience, culture, honesty

Clark says: “Whether it’s supporting greater financial resilience, assessing corporate culture, or keeping companies honest on their ESG commitments, the internal audit profession needs to be bold and courageous to remain relevant and deliver value. Through this Code, we want to empower internal audit to have a key voice and opinion as it helps to protect the assets, reputation, and sustainability of our organisations.” 

Anne Kiem OBE, Chief Executive of the Chartered IIA, says a dynamic and forward-looking internal audit profession was needed to support boards in navigating an increasingly complex and multifaceted risk landscape.

“We have seen too many incidents of the impact of insufficient attention to audit and corporate governance that sadly can lead to corporate collapse. Our Code is a practical guide for how internal audit can raise the bar and how organisations can make the best use of their internal audit function.”

The eight-week consultation on the draft code will close on 8 May. The final version of the revamped Internal Audit Code of Practice will be published by September 2024, in time for the new Global Internal Audit Standards and the revised UK Corporate Governance Code, which both come into effect on 1 January 2025. 

The new boardroom agenda

Articles, videos and podcasts exploring the crucial role board members play in ensuring their organisation’s long-term sustainability amid complex risks.

The new boardroom agenda: why directors are more important than ever.

Further resources

Gavel on a blue background
Corporate governance codes and reports

Access the key reports and codes aimed at raising standards in corporate governance in the UK published in the wake of the BCCI and Maxwell cases.

See more
Anchor on a blue background
Principles of Corporate Governance

Guidance on the key principles of corporate governance and ICAEW thought leadership on the development of corporate governance.

See more
ICAEW Community
Corporate Governance

Stay up to date with the latest news and developments in corporate governance, to help you in your role as a board member, NED or corporate governance professional. Membership is free and open to everyone

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250