8 Ways the Proposed UK Internal Audit Code of Practice Goes Beyond the Global Internal Audit Standards

When I first learned that a UK financial service (FS) internal audit code was being developed in 2013, I was the President and CEO of IIA Global. At the time, I was concerned that it might create confusion and somehow undermine the IIA global standards (The IPPF) — but I understood that without this additional guidance for the UK’s FS internal audit functions, the UK FS regulators were prepared to develop their own. It turned out that my fears were unfounded. The Internal Audit Financial Services Code of Practice was successfully published by the UK’s Chartered Institute of Internal Auditors (CIIA) and has coexisted effectively with the IPPF for over a decade. In fact, the FS Code was a model for a complementary Code of Practice for internal audit in the private and third sectors released by the CIIA in 2020.

Following the release of the new Global Internal Audit Standards earlier this year, an independent committee of audit committee chairs, chief audit executives, and senior internal audit professionals was convened to update the two existing UK Codes into a new proposed “Internal Audit Code of Practice” that would apply to financial service as well as private and third sector auditors. I have profound respect for the work that has gone into these proposals that endeavor to place all internal audit functions “on equal footing, with the aim being to raise the bar across the profession.” 

The consultation draft was recently released, and public comment is being sought through May 8, 2024 via an online survey. I encourage every auditor in the UK and Ireland to familarize themselves with the changes outlined in the proposal, and to make their voice heard. To that end, I’ve collected eight of the most potentially impactful proposed changes that I think auditors should know about. 

8 Changes in the Proposed UK Internal Audit Code of Practice Every Auditor Should Be Aware Of

The new Code makes clear that it should be applied in conjunction with the Global Internal Audit Standards. It includes the statement that the “Code” builds on these Standards and seeks to increase the impact and effectiveness of internal audit by clarifying expectations and requirements.” The Code is principles-based, and urges that principles be “applied proportionately, in line with the nature, scope and complexity of the organisation.”

As I reviewed the proposed Code, I was impressed by how clearly and logically it is organized. The Code’s 36 principles are organized under seven headings:

1. Role and mandate of internal audit
2. Scope and priorities of internal audit
3. Reporting results
4.  Interaction with risk management, compliance and control functions
5. Independence and authority of internal audit
6. Resources
7. Quality assurance and improvement programme

I was struck by how much further the principles go when compared with The Global Internal Audit Standards. In fact, there were 8 provisions that I think are particularly noteworthy for internal auditors:

1. Internal audit’s charter “should be publicly available, and the company’s annual” report of accounts “should summarise the role of internal audit, the function’s main activities and conclude on internal audit’s impact and effectiveness.”
2. Internal audit should assess whether the organization’s “risk appetite has been established and reviewed through active involvement of the board and senior management.”
3. The Code prescribes 13 specific areas that should be included within internal audit’s scope including strategy and business model; organizational culture; internal governance; environmental sustainability, climate change risks and social issues; and risks of poor customer treatment, giving rise to conduct or reputational risks.
4. Internal audit should provide “overall opinions” on the areas (from item 3 above) included within its scope. At least annually, “internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to.”
5. For FS internal audit functions, the Code prescribes that internal audit have no responsibility for any other function (risk management, compliance, etc). For non-FS functions, the code stresses that “objectivity of internal audit is strongest if it is neither responsible for, nor part of, the control functions and such separation is to be preferred.”
6. The “primary reporting line” for the CAE should be to the chair of the audit committee. The audit committee chair is responsible for determining the appointment and removal of the CAE and setting the objectives and appraising their performance.
7. Even if internal audit is outsourced, the CAE should always be employed directly by the organization. In addition, remuneration of the CAE “should not be directly or exclusively linked to the short-term performance of the organisation.”
8. The CAE “should ensure that the internal audit team is made up of internal auditors from a diverse range of backgrounds in accordance with the organisation’s diversity, equity and inclusion policies and procedures, as well as relevant legislation.”

Make Your Voice Heard

I applaud the Chartered IIA’s efforts to combine and update the two codes. There is much more to the proposed Code than the eight changes I have highlighted above, and I encourage internal audit practitioners to review the documents in their entirety to understand the proposed changes. In addition, I strongly urge UK and Ireland-based internal auditors to share their views on the proposed Code before the May 8 deadline. Now is the time to make your voice heard, and help to shape the future of our profession in the UK.