The Chartered Institute of Internal Auditors released its long-awaited new Internal Audit Code of Practice, to serve as a guide to practices and standards of internal audit professionals in the United Kingdom and Ireland.
The professional organization says the new code will increase the effectiveness of internal audit functions and strengthen corporate governance following a series of high-profile collapses linked to governance deficiencies, including the startling collapse of U.K. construction company Carillion.
The principles-based code was developed by an independent steering committee set up by the Chartered IIA and chaired by Brendan Nelson, audit committee chair of BP. The final version of the code follows a 12-week public consultation exercise in which over one hundred stakeholders participated.
“High-profile corporate collapses linked to governance deficiencies have led to a wide-ranging review of the audit and corporate governance framework,” Nelson said in a statement. “Strong, effective, and well-resourced internal audit functions have a central role to play in supporting boards to better manage and mitigate the risks they face.”
The new code aims to increase the status, scope and skills of internal audit and makes 38 recommendations for businesses including:
- Unrestricted access for internal audit so it is not stopped from looking at any part of the organization it serves and key management information.
- The right to attend and observe executive committee meetings.
- A direct line to the CEO and a direct report to the Audit Committee Chair to increase the authority and status of internal audit.
- The direct employment of Chief Internal Auditors in every business even when the internal audit function is outsourced. This is to ensure Chief Internal Auditors have sufficient and timely access to key management information and decisions.
- Regular communication and sharing of information by the Chief Internal Auditor and the partner responsible for external audit to ensure both assurance functions carry out their duties effectively.
The new Internal Audit Code of Practice was welcomed in Sir Donald Brydon’s independent review into the quality and effectiveness of audit published last month. The Internal Audit Code of Practice compliments the Brydon review recommendations, said the Chartered IIA. “The new code is an important step to improving the quality and delivery of internal audit services,” said Brydon in a statement.
Some Criticism
Not everyone is praising the new code. Internal audit expert and commentator Norman Marks says the new code does a poor job of defining internal audit, since it looks more through the lens of protecting value rather than also creating it. “Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness,” wrote Marks in a recent post on the topic. “It implies that internal audit should not address things like whether decision-makers are taking the right risks for success.”
Marks also took issue with the idea in the code does not recognize that effective risk management is far more than a review of a list of the more significant risks. “I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity,” Marks writes.
Still, the code will offer internal auditors some important guideposts for navigating the issues that arise in the course of their work. And the idea that internal auditors should have better access to any part of the organization is an advancement. 