Revised internal audit code focuses on risk management

 A year on from the high profile corporate collapses of Carillion and Patisserie Valerie, the Chartered Institute of Internal Auditors (IIA) has issued an updated version of its voluntary code of practice for internal auditors

The Internal Audit Code of Practice 2020 makes a number of recommendations designed to help businesses improve their risk management and strengthen corporate governance. Although the code is voluntary, it applies to private and third sector organisations with an internal audit function and an audit committee of independent non-executive directors or their equivalent.

These major changes include unrestricted access for internal audit so it is not stopped from looking at any part of the organisation it serves and key management information.

Internal auditors should also have the right to attend and observe executive committee meetings, with a direct line to the CEO and a direct report to the audit committee chair to increase the authority and status of internal audit.

Two additional recommendations were added following a public consultation to improve the effectiveness of internal audit, particularly in outsourced internal audit.

This includes a requirement to directly employ chief internal auditors in every business even when the internal audit function is outsourced, to ensure they have sufficient and timely access to key management information and decisions. 

Carillion’s entire internal audit function was outsourced to Deloitte and no one in the role of chief internal auditor was directly employed by the business.

IIA said that directly employed chief internal auditors are more likely to access key management information and are in a better position to be the ‘eyes and ears’ of the board.

Secondly, there should also be regular communication and sharing of information between the chief internal auditor and the partner from the entity’s external audit firm to ensure both assurance functions carry out their duties effectively.

This recommendation addresses concerns that internal and external audit do not always work together as closely as they might, IIA said, an issue highlighted in the Brydon report on audit reform.

Brendan Nelson, chair of the internal audit code of practice steering committee and audit committee chair of BP, said: ‘High profile corporate collapses linked to governance deficiencies have led to a wide-ranging review of the audit and corporate governance framework.

‘I urge boards, and in particular audit committees, to apply appropriately the internal audit code of practice to increase the effectiveness of their internal audit functions, in the pursuit of stronger corporate governance and risk management.’


The code also calls for better training provision for audit teams, including technical subject matter expertise, commensurate with the scale of operations and risks of the organisation.

This may entail training, recruitment, secondment from other parts of the organisation or co-sourcing with external third parties

Internal audit functions in financial services should continue to follow the Financial Services Code 2017, and there are separate public sector internal audit standards. 

Sir Jon Thompson, CEO of the Financial Reporting Council, said: 'This is a significant time in the evolution of audit in the UK in light of the Kingman, Brydon and CMA reviews.

'I commend the IIA for developing and introducing this new code of practice which sets a high standard of best practice and should be considered an important part of the overall risk management and assurance framework.'

Average: 5 (1 vote)