CIIA publishes new Internal Audit Code of Practice
The new Internal Audit Code of Practice – Guidance on effective internal audit in the private and third sectors is intended to boost the effectiveness of internal audit in the private and third sectors. It is voluntary and applies to those organisations with an internal audit function and an audit committee of non-executive directors. The code is a model of best practice against which organisations can measure their own internal audit function and it applies whether it be outsourced or provided in house.
Bruce Cartwright, CEO of ICAS, said: “ICAS welcomes the publication of the Internal Audit Code of Practice by the Chartered Institute of Internal Auditors. We trust that this will build on the success of the existing Code of Practice for financial services firms and prove to be effective in encouraging best practice in internal audit and in improving its scope and status in a wider range of organisations.”
The code, published in early January 2020 by the CIIA, is likely to be of considerable interest to ICAS members (irrespective of whether they are also CIIA members) working as:
- chief internal auditors
- members of audit committees
- executive and non-executive directors
- audit partners or audit managers in professional practice
- accounting academics
- investment managers.
It may also be of interest to ICAS students and their tutors.
Development of the code
The new code is based upon the earlier CIIA Guidance on Effective Internal Audit in the Financial Services Sector (also known colloquially as the “Financial Services Code”) produced in 2013 (and then revised in 2017) specifically for the financial services sector and which still continues to be applicable to that sector alone.
In July 2019 the CIIA consulted on a Draft Internal Audit Code of Practice which would be applicable specifically to the private and third sectors. The process was overseen by an independent steering committee which included two senior ICAS members:
- Brendan Nelson CA (Chair of the Internal Audit Code of Practice Steering Committee and Audit Committee Chair of BP)
- Paul Boyle CA OBE (Committee Adviser, Chairman, Protect (which is the whistleblowing charity) and was past President of CIIA in 2016/17).
The draft code was noted with approval by Sir Donald Brydon in his recent Independent Review into the Quality and Effectiveness of Audit (published in December 2019) per Section 13.2.
Over 100 responses (including one from ICAS), were received during the consultation period. The finalised Code has 38 recommendations contained in sections A to I comprising the areas of:
- role and mandate of internal audit
- scope and priorities of internal audit
- reporting results
- interaction with risk management, compliance and finance
- independence and authority of internal audit
- quality assurance and improvement programme
- relationship with regulators
- relationship with external audit.
Size of organisation to which the code is applicable
As it is principles-based, rather than rules-based, the code is intended to be applied proportionately and is thus applicable to smaller organisations as well as much larger ones.
Main features of the code
Some of the key features in the new code are listed below:
- Support for and acceptance of internal audit should be clearly seen to come from the very top of an organisation (Recommendation 7).
- Scope of internal audit should be unrestricted with no area or aspect of the organisation excluded from its review (Recommendation 8).
- Internal audit plans and any substantial changes to these plans should be approved by the audit committee (Recommendation 10).
- Internal audit should have the right to attend and observe all or part of executive committee meetings and other key management decision-making bodies (Recommendation 20). This recommendation partially adopts one of the key points made by ICAS in its response to the public consultation of the draft code
- Internal audit should have “sufficient and timely” access to key management information and a right of access to all of the organisation’s records (Recommendation 21).
- The chief internal auditor should always be employed directly by the organisation (even where the internal audit function is outsourced to a third party provider) (Recommendation 21). This is to ensure that they have “sufficient and timely” access to key management information and decisions.
- The main reporting line for the chief internal auditor should be directly to the chair of the audit committee (Recommendation 22). If there is a secondary reporting line for internal audit, then the code recommended that it is to “someone who promotes, supports and protects internal audit’s independent and objective voice”and that this would usually be the Chief Executive Officer (Recommendation 27). This was adopted from another point made by ICAS in its response to the consultation.
- There should be both regular communication and the sharing of information between the chief internal auditor and the external audit partner (Recommendation 38).