The Chartered Institute of Internal Auditors has launched a public consultation on its revamped Internal Audit Code of Practice. The draft new code, which covers the financial services, private and third sectors and means there will now be one combined code for the first time, represents a significant development for the UK and Ireland’s internal audit profession, aiming to drive higher corporate governance standards and ensure businesses are identifying, managing and mitigating their risks effectively.
“Whether it’s supporting greater financial resilience, assessing corporate culture, or keeping companies honest on their ESG commitments, the internal audit profession needs to be bold and courageous to remain relevant and deliver value,” said Sally Clark, Chair of the Internal Audit Code of Practice Independent Committee, who is also a non-executive director of AIB Group and Bupa. “Through this code, we want to empower internal audit to have a key voice and opinion as it helps to protect the assets, reputation, and sustainability of our organisations.”
Treasurers typically see internal audit as a key ally. The process, designed to assess the risks facing the business and the effectiveness of the business in managing those risks along with the control processes that management have put in place, differs from an external audit, tasked, in the main, with assessing if the financial statements provide a true and fair reflection of the company.
The new code includes an increased remit for internal audit in supporting the board to assess the organisational culture, not just the risk and control culture. Additional areas internal auditors will now be expected to cover within their priorities include environmental sustainability, climate change risks and social issues, technology and data risks, along with financial crime, economic crime and fraud.
“I don’t think there are material changes in the new code, but it is better to have one rather than two codes and the requirement for proportionality and implied adaption to the particular industries and size is key,” reflects John Grout, retired corporate Treasurer and Finance Director.
Grout continues that treasury will likely welcome internal audit’s boosted role outlined in the new codes around capital and liquidity risk. Particularly the role of internal audit in assuring the board that treasury has good and systematic access to the right information about the business, budgets plans, and especially new projects, as well as having robust processes in place for tracking, forecasting, and planning in these areas. “If the treasurer does not have responsibility for capital markets activity, the correct linkages can be difficult to establish and to police,” he notes.
Still, Grout flags one area of concern. “What I think is still missing is reference to risk changes when making acquisitions and disposals or getting into new or merely related businesses or geography. Both the internal audit and treasury need to be fully briefed and to make inputs at all stages from initial consideration. Midland Bank’s acquisition of Crocker in the US and BP’s of some US refineries illustrate the risks.”
In 2005, an internal BP audit identified an array of management and safety problems after a fatal accident at a Texas installation.
“Our Code is a practical guide for how internal audit can raise the bar and how organisations can make the best use of their internal audit function. We need a dynamic and forward-looking internal audit profession that supports boards in navigating an increasingly complex and multifaceted risk landscape,” concludes Anne Kiem, Chief Executive of the Chartered Institute of Internal Auditors.