ICAEW is putting its weight behind the new Internal Audit Code of Practice launched today to strengthen corporate governance and help organisations navigate an increasingly complex risk environment.
The enhanced code from the Chartered Institute of Internal Auditors (Chartered IAA) serves as a benchmark to embed best practices and improve internal audit practice across the UK and Ireland.
Effective from January 2025, the new code applies to all internal audit functions in the financial, private and third sectors across the UK and Ireland, in alignment with the International Professional Practices Framework, the new Global Internal Audit Standards and the revised UK Corporate Governance Code.
Previously there was a separate code for financial services firms. Now, internal audit functions across all sectors should assess capital and liquidity risks and risks stemming from poor customer treatment.
Enhanced reporting
This latest version of the code also calls for a summary of the internal audit function’s activities, impact and effectiveness in the annual report and accounts. It furthermore calls for culture audits that extend beyond risk and control culture to encompass broader cultural risks.
Meanwhile, the code brings emerging risks into scope and calls on internal audit to address risks posed by areas including environmental sustainability, climate change, social issues, financial and economic crime, and technology risks such as AI and cyber security.
Internal audit’s assessments of risk management and internal controls should now support board disclosures on material controls, aligning with the revised UK Corporate Governance Code. At the same time, the internal audit functions should coordinate with other assurance providers on key risks and assurance timing to ensure risk coverage is comprehensive, the code says.
Restoring trust and supporting economic stability
Anne Kiem OBE, Chief Executive of the Chartered IIA, says a robust internal audit profession is essential to restoring trust in the broader audit and corporate governance ecosystem and supporting economic stability.
“As organisations confront an increasingly uncertain and dynamic risk landscape, the new Internal Audit Code of Practice offers a crucial framework that will enhance the role of internal audit in advising and providing assurance to boards and senior management over their organisation’s risks, controls and corporate governance processes.”
Alan Vallance, ICAEW Chief Executive, says: “Internal auditors are a key part of the organisation's audit and assurance capability and provide confidence to the board and the executive that risk management process and internal controls are in good order.
“Many of our members work as internal auditors or work closely with them as CFOs or audit committee chairs. We therefore welcome the revised Internal Audit Code of Practice as it further strengthens the role of internal audit.”
Mark Babington, Executive Director, Regulatory Standards at the Financial Reporting Council, which contributed to the code’s development, says: “This code is a significant step forward in improving independent assurance over the way businesses manage risk and assess the effectiveness of their internal controls to support reporting against the Corporate Governance Code.”
Best practice in a single document
Peter van Veen, ICAEW Director, Corporate Governance and Stewardship, says having a unified code brings best practice from across sectors into a single document. “It also strikes a good balance between large company internal audit and smaller entities – most of these principles are scalable, so you don’t need lots of resources to make use of the new code.”
Van Veen says he particularly welcomed clarity around internal audit’s independence and objectivity. “The code also highlights the importance of ensuring that internal audit has the appropriate standing in the organisation and that it has unfettered, timely access to all of the organisation’s data. It is also key that internal audit has a direct line to the audit committee and preferably reports directly into the chair of this committee.
Internal audit to support board and audit committee
Meanwhile, van Veen welcomed the code’s warnings not to compromise internal audit’s independence by extending its remit to second-line functions. “Internal audit is there to support the board and the audit committee in particular, to assess risks and ensure those risks are being adequately managed by the organisation, and that the auditing of internal processes can be done without interference from management.
“But it’s very hard to do that if they are also responsible for second-line functions such as compliance, investigations or cyber security. Internal audit should never be put in a position where it has to mark its own homework.”
The code is not drafted with the public sector specifically in mind. Therefore, public sector internal audit functions should continue to follow the Public Sector Internal Audit Standards.
Download the Internal Audit Code of Practice – principles on effective internal audit in the financial, private and third sectors
Join your peers
ICAEW's Internal Audit Conference 2024 focuses how internal audit builds resilience. Hear from the Government Internal Audit Agency, the IIA and the Institute of Business Ethics.
- AI and ethics: could finance become too reliant on AI?
- Economic update: stars align for November interest rate cut
- Understanding AI: what is – and isn’t – artificial intelligence?
- Trustees’ Week: why volunteering your time is a two-way street
- COP 16: TNFD issues guidance for corporate nature transition plans