ICAEW.com works better with JavaScript enabled.

Empowering internal auditors to be bold and brave


Published: 09 Apr 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, users, subscribers and members.
The Chartered Institute of Internal Auditors (CIIA) has announced a consultation to revamp its two Codes of Practice (for financial services and non-financial services).

The refreshed single Internal Audit Code of Practice (Code) aims to deliver a stronger internal audit profession that support efforts to improve audit and corporate governance. Stakeholders, including ICAEW members, have until Wednesday 8th May to respond to the public consultation.

Raising the bar

The draft combined Code is designed to build on the success of the existing Codes in raising the bar by further boosting the status, standards, scope, and skills of internal audit functions. One of the most important reasons for the update is to ensure that the new Code is aligned with the new Global Internal Audit Standards and the revised UK Corporate Governance Code, both of which come into force next January. The timing of the Code consultation enables interested parties to consider all three frameworks and ensure there is alignment. The Code has also been updated to reflect evolving industry practices. 

The consultation on the draft Code provides an important opportunity to challenge, debate and discuss the role and purpose of internal audit and to further raise the bar of the profession. Indeed, raising the bar and striving for excellence was the main reason why the first Financial Services Code was developed over a decade ago in response to the global financial crisis. And why building on that success, the Non-Financial Services Code was published in early 2020. Both Codes have played a key role in increasing the relevance, impact, and effectiveness of internal audit. But we know there is more to do to stretch and strengthen the profession further. In doing so we will play our part in building trust and improving corporate governance. The Code aims to encourage the profession to be bold and brave, to remain relevant, have an impact and deliver value. It will empower the profession to play its proper role in protecting the assets, reputation, and sustainability of our organisations. 

Principles-based guidance

Importantly the Code retains its principles-based guidance on running an effective internal audit function. It is explicitly and deliberately positioned to provide guidance to a wider audience than internal auditors, being particularly aimed at audit and risk committee members along with other executive and non-executive directors. Once agreed the revised Code will provide a new industry benchmark for best practice internal audit. It will provide a gauge for boards, audit committees and regulators to assess the role, function, and effectiveness of internal audit functions.
Developing a single Code
The development of the new Code is being led by an independent committee of senior audit industry leaders. Senior figures from key regulators are also involved. The Committee is chaired by Sally Clark who is the Audit Committee Chair of Citigroup Global Markets Ltd as well as a non-executive director on several boards including A.I.B (UK) Plc and Bupa. Representatives from the Bank of England, Central Bank of Ireland, Financial Conduct Authority, and Financial Reporting Council are attending committee meetings as observers. 

One of the most significant changes is in presenting a single Code to replace the separate Codes for financial services and non-financial services. Recognising the need to continue to raise the bar for all internal audit functions, the draft single Code preserves the more stringent regulatory requirements that apply to internal auditors in the financial services sector, while allowing flexibility for those outside it. This puts financial services and non-financial services internal audit functions on an equal footing and ensure the rising tide lifts all boats. It is also helpful to the many organisations with elements of both financial services and non-financial services businesses.

Developments in both scope and priorities for internal audit

The Code proposes some important developments in the scope and priorities of internal audit, making these explicit. All internal audit functions, not just those in financial services, are expected to include within the scope of their work the capital and liquidity risks along with the risks arising from poor customer treatment. We recognise that these are important risks for all companies. The energy and water sectors are a case in point – where we’ve seen suppliers facing significant financial difficulties and customers being treated poorly. 

Other areas where the draft Code makes coverage in the scope explicit include environmental sustainability, climate change risks and social issues; technology and data risks; financial crime, economic crime, and fraud. This reflects the increased material risk exposures in these areas. We’ve seen countless examples of accusations of greenwashing, including recently Drax Power and Unilever. While the Post Office/Horizon scandal has underlined the need for stronger IT governance and the collapse of Patisserie Valerie has the need for greater focus on the effectiveness of controls designed to detect and prevent fraud. Strong, competent, and appropriately resourced internal audit functions have a vital role to play in providing independent and objective assurance on these increasingly important risk areas. 

Alignment with corporate governance developments

The Code takes into account the revised UK Corporate Governance Code requirement for an Internal Controls Declaration. It makes clear that, where appropriate, internal audit should support any Board disclosure on the company’s risk management and internal control framework and highlight any significant weaknesses identified.

Whether it is BHS, Bulb, Carillion, Patisserie Valerie, Thomas Cook or Wilko we have seen the impact of insufficient attention to audit and corporate governance and the failure to identify risks that can sadly lead to corporate collapse. While much of the focus of public discourse has centred around the role of external or statutory auditors, a stronger internal audit profession is also a vital component to strengthening audit and assurance. Yet there are many examples of where internal audit is often overlooked, or doesn’t have the appropriate positioning, standing or scope to be able to challenge effectively. 

Driving a robust internal audit profession

Our new Code advocates for robust, competent, and appropriately resourced internal audit functions. Our Code is a practical guide for how internal audit can raise the bar and how organisations can make the best use of their internal audit function. We need a dynamic and forward-looking internal audit profession that supports boards in navigating an increasingly complex and multifaceted risk landscape. This is what the new Code will support.

We anticipate that the final version of the revamped Code will be published by September 2024, alongside the new Global Internal Audit Standards and the revised UK Corporate Governance Code which both come into effect on the 1st of January 2025.  

To have your say on the draft Code and for more details of the public consultation, including the online survey and the two town hall events, click here. The closing date for consultation responses is 8 May 2024.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250