New Internal Audit Code of Practice: What Chief Audit Executives Need to Know

The Chartered Institute of Internal Auditors has published a new Internal Audit Code of Practice, combining and replacing the previous guidance documents: the Internal Audit Financial Services Code of Practice (2013) and the Internal Audit Code of Practice for the private and third sectors (2020).

This new single Internal Audit Code aims to set a best practice benchmark for internal audit teams, to support the continued focus on raising the bar for the profession. The Code is not designed for public sector organisations. They are still expected to follow the Public Sector Internal Audit Standards although they are encouraged to consider the Code.

We support the development of a single Code of Practice. This will be particularly beneficial to organisations in the third sector that also have regulated activities. With the global Internal Audit Standards and FRC changes to the Corporate Governance Code announced in January this year, this was an excellent time to review and update the Codes. Bringing them together provides a common understanding of practice and will enable greater consistency, comparison, and collaboration across industries. It will also allow internal auditors to transfer their knowledge and skills more easily between sectors.

The new Code aims to set the benchmark for best practice in internal audit but is not mandated. The principles-based nature of the Code is subjective and focuses on the new outcome statements. It is not a tick-box approach requiring the application, or exact implementation of each principle as worded. The focus on outcomes is a welcome addition, as it allows functions some flexibility and pragmatism in how they discharge their responsibilities.

The new Internal Audit Code of Practice is a step in the right direction but it does not go significantly beyond the existing standards to truly set a benchmark for best practice. It makes some advancements but is not as far-reaching as one might expect for a document positioned as a best practice guide.

Key Changes and Additions to the Internal Audit Code of Practice

We have outlined the key changes and addition to the Code, whether each change goes beyond the requirements of the Global Internal Audit Standards and our perspective on each.

The code introduces Outcome statements. These statements, focus on the intended outcomes, rather than inputs, encourage a proportional application of the principles of the Code.

We believe the Outcome Statements are helpful as internal auditors can use them to drive discussions with key stakeholders, highlighting and helping to clarify their role and importance. There is a broad set of stakeholders who have different experiences and understanding of Internal Audit.

The new Code outlines the primary role of internal audit: to help the board and senior management protect the organisation's assets, reputation, and sustainability. This is achieved by:

  • Providing independent, risk-based, and objective assurance, advice, insight, and foresight.
  • Assessing whether all significant risks are identified and appropriately reported.
  • Evaluating the adequacy of organisational controls.
  • Challenging and influencing senior management to improve governance, risk management, and internal controls.

The aligns entirely with the new Global IA standards and in our view no additional effort is required to comply and demonstrate this principle over and above the work already directed towards ensuring conformance with the new standards.

Internal audit must be forward-looking, influencing risk management, governance and internal controls as changes occur. This proactive approach can help mitigate risks before they materialise, making better use of resources.

Reporting on how the principles have been applied is a new addition to the Code. There will be some additional effort to implement this. However, this should be minimal as it can be aligned with existing discussion and reporting on the essential conditions of Domain III. We would also expect it to form part of an internal audit team’s Quality Assurance Improvement Programme and the reporting requirements around this as part of the Global Internal Audit Standards.

Many organisations already include sections on internal audits role and activities in their statement on internal controls and governance arrangements. While this is a new requirement in the Code, the challenge will be the reporting on impact of the internal audit function. It will be interesting to see how IA teams measure and demonstrate their impact. This requirement is over and above the Global Internal Audit Standards but you should consider linking your impact reporting to the overall QAIP and performance against the function's objectives. 

The internal audit team should comprise internal auditors with a mix of backgrounds, skills and experiences to deliver diversity of thought. The Chief Audit Executive (CAE) should recruit, retain and promote talent in accordance with the organisation’s diversity, equity and inclusion (DEI) policies and applicable legislation.

The wording of principle 27 has been updated for the final published Code. It provides a clearer view of the intention of the principle. It could still be a challenge for smaller teams or where staff turnover is low. One approach would be to use guest auditors from across the business to broaden the skills, experience, background and diversity of thought.

The CAE should ensure internal audit has the tools and technology, such as data analytics and AI, that will enhance its impact and effectiveness. This is a new addition to the code and is linked to Global Standard 10.3 Technological Resources. The wording in the code is slightly stronger, saying the CAE must ensure they have tools and technology whereas the Standard states the CAE must strive to ensure they have technology to support the function.

Some CAEs may find this difficult to achieve where resource in terms of the skills, experience and budgets are limited. One possibility could be to better utilise existing technologies within the business to support the internal audit services.

Ultimately, the CAE will need to demonstrate that "Internal Audit has the right skills, experience, resources and budget to fulfil its mandate". If the Internal function does not have sufficient resources to fulfil the mandate and deliver the plan, the CAE must discuss this with the Board under Standard 8.2.

The new code expands on the scope of internal audit and intention behind the inclusion of specific scope areas is to re-enforce the internal audit’s remit. Internal audit plans should still be risk-based, and this list of topics should not be seen as a tick box checklist of audits to cover, and should be considered in the context of the outcome statement for this section of the code: “Internal Audit has an unrestricted scope and access to all areas of the organisation and information, including the scope areas outlined in principle 8 [summarised below]. Internal audit has an effective process to determine internal audit coverage”.

The recommended scope of internal audit activity has been extended to include:

  • Organisational purpose, strategy, and business model
  • Culture, governance, and risk appetite
  • Key corporate events, capital and liquidity risks
  • Customer treatment and reputational risk
  • Environmental sustainability, climate change risk, and social issues
  • Financial crime and fraud, technology and data risks
  • Risk management, compliance, finance, and control functions

This appears to go beyond the Global internal audit standards and these topics should be considered in the context of the internal audit planning and organisational risk assessment. This section of the code is re-enforcing the discussions to be held with Senior Management and the Board on the essential conditions of the Global Internal Audit standards which include a requirement to discuss any restrictions being placed on the scope of internal audit work.

Internal audit must report at least annually to the Audit, Risk, and other Board committees. It should provide an overall opinion on the effectiveness of the governance, risk, and control framework, and whether the organisation’s risk appetite is being adhered to.

The key change here between the old Codes of practice and the new single Code is the provision of the opinion. Internal audit functions that were complying with the previous code should already have been reporting to the Board at least annually with an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, and its conclusions on whether the organisation’s risk appetite is being adhered to, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation's risk profile.


This requirement for an opinion also goes over and above the new Global Standards, where the requirement for an overall opinion to be provided annually is not explicitly stated. However, under standard 11.3 Communicating results, the CAE must communicate the results of internal audit services to the board and senior management periodically and for each engagement. The standard recognises that the frequency and nature of these communications should be agreed with the Board, although it also suggests that the results of internal audit services can include conclusions at the level of the Business Unit or Organisation. The Standards goes on to say this should provide a conclusion reflecting the judgement of the CAE.


Independence and Authority (change to the Code)

For financial services organisations, the new Code has changed the reporting line for internal audit, who should now report administratively to the Chief Executive. In the private and third sectors, this part of the code has not been changed and another senior manager may serve as the administrative reporting line, provided the Audit Committee Chair agrees.

The consultation draft included a requirement for the development of an assurance map on key risks. This was to be coordinated by Internal Audit but it was not clear who should own this. Debate over ownership continues given the size and complexity of respective organisations. What remains clear is the value that an assurance map can bring, and consideration should be given to completing one as part of your annual planning process.

Assurance mapping provides an effective link to an organisation's risk management framework as it questions risk appetite for each area e.g. how much assurance you want or need. The exercise can also educate the wider business on assurance, risk and control. We agree this is important. While assurance mapping is no longer in the Code, the requirement to coordinate with other assurance providers remains, aligned to the new Global Standards.

There is no longer a requirement for the CAE to be directly employed by the organisation meaning fully outsourced functions are deemed acceptable. We are pleased to see this change as it reflects the application of proportionality and practicality of implementation. 

Practical Implications for Your Organisation

Enhanced Reporting and Transparency

The new Code's emphasis on outcome statements and annual reporting will require internal audit functions to be more transparent and detailed in their communications. This will not only help in building trust with stakeholders but also in demonstrating the value that internal audit brings to the organisation.

Broader Scope of Activities

With the expanded scope, internal audit teams will need to develop expertise in new areas such as environmental sustainability, climate change risk, and social issues. This will likely require additional training and possibly the recruitment of specialists in these fields.

Focus on Independence and Objectivity

The new Code reinforces the importance of internal audit's independence and objectivity. Ensuring that internal audit reports administratively to the Chief Executive or another senior manager who safeguards its independence will be crucial. This structure will help internal audit maintain its impartiality and effectiveness.

Resource Allocation

The requirement for a diverse internal audit team with the right tools and technology means that organisations may need to invest more in their internal audit functions. There will be an opportunity to consider this across the wider business and assurance landscape – how can you more effectively combine efforts to deliver the same objective? This investment will drive return by enhancing the team’s ability to provide valuable insights and assurance.

Proactive Risk Management

The forward-looking approach advocated by the new Code encourages internal audit to be proactive in identifying and mitigating risks. This shift will help organisations manage risks more effectively and avoid potential issues before they escalate.

While the Code is not mandatory, there is an expectation that all internal audit functions should engage with the Code’s principles and there is an expectation that External Quality Assessment providers will benchmark functions against this Code. CAEs should be assessing the principles to see whether the recommended good practice enhancements are suitable for their organisation.

We are already supporting our clients in implementing these new standards and achieving excellence in internal audit. If you would like more information on the changes and how best to navigate them, please email Nicola Walker.

References


  1. Chartered Institute of Internal Auditors – Revised Internal Audit Code of Practice Consultation March 2024
  2. Chartered Institute of Internal Auditors – Financial Services Code of Practice January 2021
  3. Chartered Institute of Internal Auditors – Internal Audit Code of Practice – Guidance on effective internal audit in the private and third sectors January 2020
  4. Chartered Institute of Internal Auditors – Internal Audit Code of Practice September 2024
  5. Institute of Internal Auditors – Global Internal Audit Standards January 2024