Summary: UK Internal Audit Code of Practice (September 2024).

Effective Date: January 2025

1. Introduction and Purpose: This briefing document provides an overview of the new Internal Audit Code of Practice (the "Code"), released in September 2024 and effective from January 2025. This Code, endorsed by the Chartered IIA’s Council, consolidates principles for effective internal audit across the financial services, private, and third sectors in the UK and Ireland. It aims to enhance the impact and effectiveness of internal audit by providing a benchmark of good practice.

The foreword highlights the significance of this unified Code, stating, "For the first time, we present a unified Code that encompasses the financial services, private, and third sectors." Sandro Boeri, President, Chartered IIA, and Sally Clark, Chair, Independent Internal Audit Code of Practice Review Committee, assert that the Code "equips the UK and Ireland internal audit profession to meet current challenges, remain relevant, and evolve as strategic advisors to the organisations we serve."

2. Timeliness and Context:The release of this new Code is considered "particularly timely" due to the increasingly uncertain, risky, and rapidly changing global landscape. It presents an opportunity to strengthen internal audit's role in assisting boards and senior management with effective risk management in this dynamic environment. The Code is also seen as essential for "restoring trust in the broader audit and corporate governance ecosystem."

3. Alignment with Existing Frameworks: The Code aligns with the International Professional Practices Framework and the new Global Internal Audit Standards, which form the baseline for the profession. It is intended to serve as an "industry benchmark to embed best practices and raise the bar of the internal audit profession across the UK and Ireland." The document emphasises the need to "continually challenge internal audit functions to enhance their performance."

4. Applicability and Implementation: Effective from January 2025, the Code will apply to "all internal audit functions in the financial services, private and third sectors," aligning with the new Global Internal Audit Standards and the revised UK Corporate Governance Code. While it is principles-based and should be applied "proportionately, in line with the nature, scope and complexity of the organisation," all functions are expected to engage with its principles. External Quality Assessment (EQA) providers will benchmark against the Code to assess progress towards best practices. The Code may also prove useful for the public sector, although it was not specifically drafted for it.

5. Development Process and Stakeholder Involvement: The Code's recommendations were developed by a "diverse and experienced committee of senior internal audit professionals and audit committee chairs," with input from UK and Ireland regulators as observers. It underwent "extensive public consultation," and the feedback received was "thoroughly considered" by both the Review Committee and the Chartered IIA’s Council. Modifications were made based on this feedback, which received strong support from most participants.

6. Key Principles of the Code: The Code is structured around nine core principles, each with associated outcomes and more detailed sub-principles. These are aimed at enhancing the overall impact and effectiveness of internal audit.

A. Purpose and Mandate of Internal Audit:

• Outcome: Internal audit has a clear purpose and mandate, supported by a strong tone at the top.

• Key Ideas: The primary purpose is to help the board and senior management protect the organisation's assets, reputation, and sustainability by providing independent assurance, advice, insight, and foresight. This includes assessing risk reporting, evaluating controls, and challenging management to improve governance, risk management, and controls. The purpose and mandate should be articulated in a publicly available internal audit charter.

• Quote: "The primary purpose of internal audit should be to help the board and senior management to protect the assets, reputation and sustainability of the organisation."

• The Head of Audit (HOA) should report annually to the board audit committee on the application of the Code's principles, and the board audit committee report should summarise internal audit's purpose, activities, impact, and effectiveness.

B. Scope and Priorities of Internal Audit:

• Outcome: Internal audit has unrestricted scope and access and an effective process for determining coverage.

• Key Ideas: Internal audit's scope should be "unrestricted," allowing it to examine any aspect of the organisation. It should form its own independent judgement on audit coverage based on the organisation's structure and risk profile, considering business strategy and identifying key risks. While stakeholder views are important, internal audit's view should not be solely determined by them. Plans should be risk-based and approved by the board audit committee, remaining dynamic and flexible to address emerging risks.

• Quote: "Internal audit’s scope should be unrestricted. There should be no aspect of the organisation which internal audit should be restricted from looking at as it delivers on its mandate."

• The scope should include areas such as purpose, strategy, business model, organisational culture, internal governance, risk appetite, key corporate and external events, capital and liquidity risks, risks of poor customer treatment, environmental sustainability, financial crime, technology risks, and the effectiveness of other control functions. It should also focus on the "outcomes of processes," not just their design.

C. Reporting Results:

• Outcome: Internal audit's reporting to governance committees is impactful and relevant, providing overall opinions on higher-risk areas.

• Key Ideas: Internal audit should present consolidated reports to key governance committees, including the board audit committee and potentially the board risk committee. These reports should include overall opinions on selected scope areas, insights on control weaknesses with root cause analysis, thematic and systemic issues, an independent view of management's risk reporting and remediation plans, reviews of post-mortem analyses of significant adverse events, analysis of emerging trends, and insights on effective areas and potential efficiencies.

• Quote: "Internal audit’s consolidated reporting to the board audit committee... should provide: Overall opinions on the scope areas selected and covered..."

• At least annually, reporting should include an overall opinion on the effectiveness of governance, risk, and control frameworks, and adherence to risk appetite, supporting board disclosures.

D. Interaction with Risk Management, Compliance, Finance and Control Functions:

• Outcome: Internal audit has an organisation-wide remit that includes assessing and interacting with other control functions.

• Key Ideas: Internal audit should be independent of and not part of risk management, compliance, finance, and other control functions (this is explicitly stated as best practice for the private and third sectors and applicable to financial services). While coordination with these functions is necessary, internal audit should not exclusively rely on their work in its risk assessment or testing.

• Quote: "Internal audit should be independent of these functions and be neither responsible for, nor part of, them." (Applicable to financial services, best practice for others).

• In cases where the HOA has responsibility for other control functions (more common in private and third sectors), the board audit committee should ensure this does not undermine their internal audit responsibilities or independence, and external assessments of those functions may be desirable.

E. Independence and Authority of Internal Audit:

• Outcome: Internal audit is independent, objective, and has appropriate standing, stature, and access.

• Key Ideas: should be at a senior management level (typically executive committee) to ensure appropriate standing and authority. Internal audit should have the right to attend key management meetings and have "unrestricted and timely access to key management information." The primary reporting line for the HOA should be to the chair of the board audit committee, who should also be responsible for their appointment and removal. The chair should also oversee HOA performance appraisal (considering CEO input) and recommend remuneration to avoid conflicts of interest. For outsourced functions, accountability remains with the organisation.

• Quote: "The primary reporting line for the Head of Audit should be to the chair of the board audit committee."

• Subsidiary heads of internal audit should primarily report to the group HOA. Financial services organisations (and best practice for others) should have an administrative reporting line to the CEO to preserve independence. Private and third sector organisations may have an alternative senior management administrative reporting line agreed with the audit committee chair.

F. Resources:

• Outcome: Internal audit has the right skills, experience, resources, and budget to fulfil its mandate.

• Key Ideas: The HOA is responsible for ensuring the audit team has the necessary skills and expertise through training, recruitment, secondment, or co-sourcing. The HOA should regularly assess skills requirements and the adequacy of the internal audit budget with the board audit committee. The team should have a mix of backgrounds and promote diversity of thought, aligning with the organisation's DEI policies. Internal audit should utilise appropriate tools and technology (e.g., data analytics, AI) to enhance effectiveness and efficiency. The board audit committee approves the budget and should disclose in the annual report whether it is satisfied with internal audit's resources.

G. Quality Assurance and Improvement Programme (QAIP):

• Outcome: The board audit committee and internal audit assess the quality, performance, impact, and effectiveness of the function.

• Key Ideas: The board audit committee approves performance objectives and regularly evaluates the internal audit function, considering value, impact, effectiveness, and efficiency beyond just plan delivery. Internal audit should maintain up-to-date policies and continuously improve them. A QAIP should be developed, including independent assessments of audit work, risk understanding, and adherence to methodology. Results should be presented to the board audit committee annually. Periodic self-assessments against the Code and Global Internal Audit Standards should be conducted.

• Quote: "The board audit committee is responsible for approving internal audit’s performance objectives and evaluating the performance of the internal audit function on a regular basis."

• External Quality Assessments (EQAs) should be obtained at appropriate intervals, with a minimum frequency of every five years, explicitly evaluating conformity with the Code and the Global Internal Audit Standards. The audit committee chair oversees the EQA appointment process.

H. Relationship with Regulators and External Audit:

• Outcome: Internal audit has an open, constructive, and cooperative relationship with regulators and external audit.

• Key Ideas: The HOA and senior internal audit managers should maintain open communication with relevant regulators. The HOA and the external audit partner should ensure regular communication and information sharing.

I. Wider Considerations:

• Key Ideas: The Chartered Institute of Internal Auditors should commission further independent reviews of the guidance at least every five years to consider necessary changes.