Brydon Review and the IIA Code of Practice – Impact on Internal Audit

05 March 2020

In December 2019, the Brydon review was published. Commissioned by the Secretary of State for Business, Energy and Industrial Strategy (BEIS), the review looked at different aspects of the external audit market, particularly in relation to large public companies, and made recommendations for change.

If implemented, the proposed reforms will be mandatory and will expand the compliance requirements for the UK's largest listed businesses. While directed at large public companies, it is likely that these changes will also filter to other large organisations in both the private and third sector.

It may take some time before Brydon’s recommendations are turned into regulation, pro-active internal audit functions should take the opportunity to work with their companies to consider how to derive value from the guidance and prepare to address the recommendations.

The recent launch of the Chartered Institute of Internal Auditors’ (IIA) new Internal Audit Code of Practice is timely, as it aims to increase the status, scope and skills of internal audit.

There will, unsurprisingly, be an impact on internal audit in its role in supporting businesses to manage risk and provide assurance to boards. The Chartered Institute of Internal Auditors, the professional body that specifically represents internal auditors, has called on the Government to take “swift action” on audit reform following the publication of Brydon’s report. In particular, the institute emphasised its support for the proposals that “strengthen the requirements on company directors in relation to the risk, internal control and governance frameworks.” The report itself highlighted the IIA’s development of an Internal Audit Code of Practice, published in January 2020.

What is the impact of the Brydon review and how can Internal Audit prepare for it?

The result of 12 months’ work and running to 138 pages, the Brydon report made 64 key recommendations aimed at improving the perception and quality of audit. In the main these relate to improving the quality of statutory audit; however, there are a number of recommendations relating to internal controls and management’s attestations over internal controls, risk reporting and fraud management, that have a bearing on internal audit.

We have detailed some of the key recommendations below and how these will impact internal audit.

Internal Controls

Brydon makes a number of recommendations specifically focused around internal control and governance, including:

  • There should be annual attestations by the CEO and CFO to the board on the effectiveness of internal controls over financial reporting.
  • Attestations should include any failures of relevant controls.
  • Where failures in internal controls are reported, the CEO/CFO’s attestations should be audited for the following three years.

This increased scrutiny and attestations over internal controls can be seen as a move towards introducing a 'SOX-lite' regime. Already raised by the Kingman review, BEIS is developing proposals which are expected later in 2020. This would likely lead to a significant strengthening of the current UK Corporate Governance Code requirement for an annual assessment of effectiveness of risk management and internal controls systems.

Internal audit will need to consider the level of assurance provided to C-Suites and Audit Committees on internal controls, and how this could be strengthened to meet future requirements. Companies will need to consider formalised internal control frameworks, control self-assessments, periodic certifications and an element of independent second or third-line testing. It will be essential to take important learnings from the implementation of US SOX in 2002 to avoid excessive costs, such as robust resource planning and securing financial and technical controls skills early on.


A key aspect of Brydon is the impact of material fraud and the need for disclosure of actions taken to address this, along with external auditors adopting a “suspicious” rather than sceptical mind set.

Brydon’s recommendations range from Forensic Accounting and Fraud Awareness training requirements for auditors, to the introduction of an independent fraud auditor panel with sanctioning powers to judge fairly auditors’ fraud detection performance. Of primary importance to Internal Audit is the recommendation for Directors to report what actions they have taken to prevent and detect material fraud. All statutory auditors will have an obligation to endeavour to detect material fraud in all reasonable ways. The board will also have a responsibility to report on the actions they have taken to fulfil their obligations to prevent and detect material fraud. Internal Audit will be in prime position to give early assurance to Directors that the fraud risk management framework is effective.

Assurance Policy

Brydon recommends that the audit committee publishes a 3-year rolling audit and assurance policy. Broader than external audit, it will need to consider all of the company’s sources of assurance, including internal audit. Whilst many large corporates have adopted the ‘3 lines of defence’ model and have, to some extent, identified their key sources of assurance, most have yet to rollout a comprehensive assurance model. This should be a priority for the audit committee, and we fully expect that Internal Audit will be tasked with completing this exercise.

Risk Reporting

Currently, directors of large corporates include information on principal risks and uncertainties within the annual report. Brydon argues that it would be preferable for shareholders to have the opportunity to consider the latest ‘Risk Report’ before the audit committee endorses any plan for the next audit. Brydon suggests, therefore, that directors publish a ‘Risk Report’ prior to the audit committee meeting, at which the scope of the next audit is determined and endorsed. This greater prominence of risk reporting should be beneficial in terms of increased support and adoption of high-quality, risk-based internal audit.

Resilience Statement

Brydon further recommends that directors publish a Resilience Statement replacing the existing Going Concern and Viability Statements. The Resilience Statement would incorporate a going concern opinion for the short term, a statement of resilience in the medium term, and a consideration of the risks to resilience in the long term. Whilst we expect risk and group finance teams taking the lead on these disclosures, Internal Audit is likely to be called upon to provide assurance over the medium- and long-term resilience statements, as well as to challenge the processes, information and models that support them.

Payment practices

Brydon recommends that directors report to shareholders on their company’s payment policies and performance and that this be subject to some level of audit. Internal Audit should be well positioned to employ its analytical tools and skills to evaluate the accuracy of payment performance data. Additionally, organisations may wish to employ third party services to provide assurance over their payment practice arrangements.

The IIA Code of Practice

The Brydon Review, together with the release of the IIA Code of Practice in January 2020, represents an exceptional opportunity for Internal Audit to further elevate itself and the value it delivers.

The new Internal Audit Code of Practice aims to strengthen corporate governance following a series of high-profile collapses linked to governance deficiencies, including Carillion.

New Recommendation

Consideration for Internal Audit

Risk Appetite: Internal Audit should report annually to the Audit Committee its conclusions on whether the organisation’s risk appetite is being adhered to.

  • Has your organisation defined its appetite for risk?
  • Is risk appetite being reviewed on an annual basis?
  • How is your organisation adhering to risk appetite? Is this reported annually to the Audit Committee?

Risk and Control Culture: Internal Audit should include within its scope, the risk and control culture of the organisation

  • Internal audit may wish to include details of the risk culture within its scoping documents and ask management for its opinion on the risk and control culture of the organisation.
  • Internal Audit can consider including a section on culture within each of the internal audit reports.
  • Internal audit may wish to undertake specific reviews of organisational culture.

Chief Internal Auditor: Where the tenure of the Chief Internal Auditor exceeds seven years, the Audit Committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity

  • Organisations should consider the length of time that the CIA has been in post and if longer than seven years should report this to the audit committee for discussion around independence and objectivity.
  • Where possible the CIA may wish to consider providing supporting evidence to how they maintain their independence and objectivity

Reporting Lines: Internal Audit should have direct contact with the CEO and a direct report to the Audit Committee Chair

  • Review the reporting lines for internal audit
  • Does internal audit have regular correspondence and a clear reporting line to the CEO and the audit committee chair?

Executive Committee Meetings: The right for internal auditors to observe and attend executive committee meetings


  • Internal audit should consider whether it is able to and proactively attend executive committee meetings
  • Good practice would dictate attending executive committee meetings on at least an annual basis

Unrestricted Access: Internal Audit should have unrestricted access so that no part of the organisation is off limits


  • Does internal audit have unrestricted access?
  • Are there any parts of the organisation that internal audit is not able to review?
  • Has internal audit ever been denied access to a specific area of the organisation?

Regular Communication: There should be regular communication and sharing of information by the Chief Internal Auditor and the partner responsible for external audit


  • Consider the relationship between internal audit and external audit, is there regular communication between both parties e.g. on at least a bi-annual basis.

The Code of Practice should be applied in conjunction with the existing International Professional Practices Framework (IPPF), published by the Global Institute of Internal Auditors, which includes the International Standards for the Professional Practice of Internal Auditing (‘the IIA Standards’).

The Code builds on those Standards and seeks to increase the effectiveness and impact of internal audit within organisations by clarifying expectations and requirements.

Below, we consider seven new recommendations from the 2020 Code and what internal audit functions may need to consider.

The Code is principles-based. It applies to organisations in the private and third sectors with an internal audit function, and audit committees of independent non-executive directors. It is expected that the Code should be applied proportionately, and therefore smaller organisations should apply the principles on which the Code is based in light of their size, risk profile and internal organisation, as well as the nature, scope and complexity of their operations.

BDO’s Risk and Advisory team has extensive experience of advising clients and audit committees on best practice in relation to governance, risk management and internal control. We are a leading provider of external quality assessment reviews of internal audit functions, and well placed to support them in strengthening their role and influence within their business. If you would like to discuss this in further detail, please contact Ruth Ireland, PartnerTim Foster, Partner, Nigel Burbidge, Partner, Sarah Hillary, Partner or Robert Noye-Allen, Partner