Guidance on Effective Internal Audit in Financial Services Sector

04 September 2017

Since its publication (2013), the Chartered Institute’s Guidance on Effective Internal Audit in
Financial Services (the code) has raised the standards of Internal Audit in the UK. Over the last year, the CIIA through engagement with the industry, has reviewed the code and has subsequently made minor adjustments to enhance best practice across the audit sector. 

What are the key changes? 

Below is a summary of the primary enhancements to the existing code: 

  • Audit Universe: Internal audit has to come to its own view about how the audit universe for its own organisation should be structured. Internal Audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the organisation.
  • Audit Coverage: Internal audit should decide, subject to approval by the audit committee, which areas should or need not be covered as part of the audit plan.
  • Reliance on other assurance providers: Internal audit need to assess not only the processes followed by the first and second lines of defence in the organisation, but also the quality of their work. They also need to evaluate the effectiveness of other functions such as risk management or compliance before deciding to what extent it can take account of their work.
  • Risk identification: Internal audit need to look at new and emerging risks.
  • Risk appetite: Internal audit need to report each year on whether the organisation’s framework for risk appetite is being adhered to right across the business.
  • Culture and Values: Internal audit needs to look at whether behaviours are in line with the formally adopted values, ethics, risk appetite and policies of the business.
  • Process vs design: Internal audit need to look at processes, not only the design of controls.
  • Lessons learned: Internal audit should review any ‘lesson learned’ from significant adverse events.
  • 7 year review: UK companies will be required to review its internal auditors every year after they have been in post for seven years.
  • Independent assessment: Regardless of the size of a financial services organisation and its internal audit team, the internal audit function should be subject to an independent and objective external assessment at least every five years.

What next?

The revised code can be regarded as a benchmark of good practice against which organisations can assess their Internal Audit function. It is important to note that the recommendations in the code are principles-based but should be applied where appropriate. BDO are actively committed to helping clients implement robust internal audit policies and practices. We help companies to understand the approach and expectations of regulators and peers. 

If you would like to discuss any of the changes above, or have any questions, please do get in touch.

You can view the full update of guidance on the IIA website.