New audit code to strengthen UK corporate governance

Internal audit teams will have to address emerging risks and consider the impact of cultural risks within the company

A new code of practice for the UK and Ireland’s internal audit profession has been unveiled by the Chartered Institute of Internal Auditors (CIIA), which said the code sets higher standards to prevent corporate failures.

The code has been enhanced, the CIIA said, in recognition of the increasingly complex risk environment facing organisations, helping companies to bolster corporate governance and increase business resilience. Among several new features, internal audit units will be required to address emerging risks, including climate change and AI, and conduct risk-based reviews of cultural risks within the company. Internal audit teams should include individuals from diverse backgrounds and experiences, the code specifies.

The professional body said the code is “long-awaited” and was developed by an independent committee chaired by Sally Clark, chair of the audit committee at Citigroup Global Markets, with input from regulators in the UK and Ireland as well as consultation with audit professionals.

Clark said the code “is a pivotal advancement” for the internal audit profession and corporate governance in the UK and Ireland. “Now more than ever, internal auditors must be bold and proactive if they are to add value to the organisations that they work within. The new code ensures that internal audit continues to play a critical role in safeguarding the assets, reputation, and sustainability of our organisations.”

For the first time, the code applies to all internal audit functions in the financial services, private and third sectors, and raises standards to the same level across the board in the UK and Ireland.

Anne Kiem, chief executive of the CIIA, said of the code’s significance: “As organisations confront an increasingly uncertain and dynamic risk landscape, the new Internal Audit Code of Practice offers a crucial framework that will enhance the role of internal audit in advising and providing assurance to boards and senior management over their organisation’s risks, controls and corporate governance processes.”

She added: “A robust internal audit profession is essential to restoring trust in the broader audit and corporate governance ecosystem and supporting economic stability.”

Jonathan Geldart, director general at the Institute of Directors, added his support for the code: “In a more risky and uncertain world, company directors need to ensure their internal controls and risk management frameworks are robust. The Internal Audit Code of Practice provides company directors with the tools to embed the strong internal company controls that are vital for business success.”

Endorsing the code, Mark Babington, executive director, regulatory standards of the Financial Reporting Council, which contributed to the code, said: “This code is a significant step forward in improving independent assurance over the way businesses manage risk and assess the effectiveness of their internal controls to support reporting against the Corporate Governance Code.”

The updated code aligns with the new Global Internal Audit Standards and the revised UK Corporate Governance Code. New features include:

  • Emerging risks: The new code states that internal audit functions should address emerging risks, including environmental sustainability, climate change, social issues, financial and economic crime, and technology risks such as AI and cybersecurity.
  • Culture audits: Internal audit functions should conduct risk-based reviews of organisational culture, extending beyond risk and control culture to encompass broader cultural risks.
  • Wider scope: Internal audit functions across all sectors should assess capital and liquidity risks and risks stemming from poor customer treatment, not limited to financial services.
  • Alignment with governance disclosures: Internal audit’s assessments of risk management and internal controls should now support board disclosures on material controls, aligning with the revised UK Corporate Governance Code.
  • Enhanced reporting: Chief internal auditors should collaborate with their audit committee to include a summary of the internal audit function’s activities and conclude on its impact and effectiveness in the company’s annual report and accounts.
  • Coordination with assurance providers: Internal audit functions should coordinate with other assurance providers on key risks and assurance timing, ensuring comprehensive risk coverage.
  • Diversity and technology: Internal audit teams are required to comprise individuals with diverse backgrounds, skills, and experiences, and for chief internal auditors to ensure access to the necessary tools and technology, such as data analytics and AI, to enhance audit effectiveness.
Back to top button