Board briefing: Building effective internal audit
Download the board briefing (pdf)
Lessons learnt from implementing the IIA FS Code
To support you and your internal audit function to meet rising expectations, the Chartered Institute of Internal Auditors (IIA) recently published a report Building effective internal audit – Putting the pieces together highlighting how, in the financial sector, firms are raising the bar for their internal audit function and harnessing its resources more effectively. These examples of good practice may also be relevant in
other sectors.
The changes we report on are mainly in response to the IIA Code for internal audit, Effective Internal Audit in the Financial Services Sector. Since publication last year, regulators have had a consistent benchmark against which to gauge how audit committees are harnessing, empowering and developing their internal audit functions. So what does a good internal audit function look like?
Ten ways organisations are strengthening their internal audit functions
1. Engagement between the audit committee and head of internal audit (HIA) is crucial. But while support for introducing the right structures and audit scope is important, audit committees also need to be continually engaged on issues around internal audit effectiveness. Informal sessions with the chairman and members of the audit committee
away from formal meetings can be valuable.
2. Having a functional reporting line to the audit committee chairman, supported by an administrative line to the CEO, can transform internal audit’s influence and effectiveness. The PRA and FCA regard the reporting structure as an important indicator of how independent internal audit is of the executive and therefore how effectively it can support the board’s role in challenging management.
3. Attendance at executive committee meetings by the HIA can be valuable in supporting unrestricted scope and access and allowing internal audit to play its enhanced role in supporting the challenge of strategic decisions. Just as important is advance access to documentation for the executive committee and audit committee.
4. Internal audit faces increasing challenges as it engages on strategic and other business issues in a rapidly changing environment. It is vital for internal audit to build up networks of information that enable it to understand the internal and external factors driving risk, using its own judgement.
5. The culture of an organisation is an important factor in decision-making, but there is no single answer to how internal audit should engage on it. The IIA has produced guidance on this, Culture and the role of internal audit – Looking below the surface.
6. Internal audit functions are focussing increasingly on outcomes as well as processes. This is leading to significant changes in audit tools and methods, and the requirement for different skill-sets. New specialist knowledge is also being required of internal audit teams.
7. The strategic positioning of internal audit through the Code is increasing the opportunities for rotation, secondments, “guest auditors” and graduate entry
as the profession becomes more central to good governance. But care is needed in balancing skills and internal audit experience.
8. The Code has strengthened the role of internal audit in challenging, advising on and providing assurance on strategic events, in particular in advance of decisions. This requires more extensive real-time access to information so that internal audit is fully aware of risks around strategic decisions. It should not be directly involved in making such decisions.
This is an area of particular interest to the FCA who see internal audit’s role in key corporate events as key indicator of how firms prepare effectively for strategic change.
9. The importance and scope of continuous quality assessment of the internal audit function have increased, and functions are not just being asked to measure themselves against the IIA International Standards. This is not just thanks to the IIA Code. For some, QA also includes reference to other requirements such as Basel, the Fed and OCC. The PRA stresses that QA is an important function, is not always of a sufficient quality, and needs to be taken more seriously.
10. The PRA regards the IIA Code as a benchmark, although it has said it is prepared to discuss exceptions, where firms believe an approach that is not in line with the Code is right for them. Audit committee chairs need to be prepared for a dialogue with the regulators.
Other considerations for audit committees
- The way firms are implementing the Code varies greatly. There is no single set of best practices. Instead organisations need to introduce structures, practices and methods that are right for them. Where these appear not to be in compliance with the terms of the code they will need to justify them to the regulators.
- The code is already leading to significant change in the governance, management and coverage of internal audit. But this is a long term process. The code has raised new challenges for audit committees, HIAs and their staff. Its real success can only be measured once the changes initiated have bedded down and had their full effect. Moreover internal audit will need the support of audit committees to rise to the challenge.
- The code is written “in the context of a reasonably sized company operating within the UK regulated financial services sector” but very few of the recommendations are size-specific. Organisations with their headquarters in other jurisdictions are still expected to comply with the spirit of those areas of the code they are unable to implement fully. Conversations between audit committees and the regulators about areas where the code is not followed are likely to be in the context of a general expectation of compliance.
- The code builds on the IIA International Professional Practices Framework with its guidance and practice advisories. It should also be seen in the context of Basel lll, Solvency ll, the FRC Corporate Governance Code and Guidance, and other relevant instruments. However it is unique in its level of detail and the specific nature of its recommendations for internal audit and can play a central role in strengthening the relationship between board members, internal audit and executives, and in helping improve the effectiveness of the function.
- The approach of the two regulators is different. The PRA have conducted several reviews of internal audit functions and maintain a dialogue between their internal audit experts and the industry on how different areas of the Code are being implemented. The FCA is taking a risk-based approach to the supervision cycle. Engagement with internal audit may well be one of the areas the FCA will look at to inform its judgements. While internal audit will not be the subject of continuous FCA monitoring, audit committees will nevertheless need to ensure they are applying the spirit of the Code, if they are to demonstrate effectiveness.
What should you do now?
1. Audit committee chairs of organisations outside the financial services sector might like to discuss with their HIA whether any of the measures taken by firms in the financial services sector can help improve internal audit’s support for their audit committee.
2. If your organisation is in a regulated sector, discuss with your regulator what their expectations are of the role and position of internal audit.
3. View our website for IIA audit committee briefings on key issues such as culture and whistleblowing at /policy/boards-audit-committees-governance/audit-committee-briefing.
4. Ensure your HIA has full access to IIA guidance and other technical support.