GUIDANCE ON EFFECTIVE

INTERNAL AUDIT IN THE FINANCIAL

SERVICES SECTOR
Second Edition | September 2017
Foreword
Since its publication in
July 2013, the Chartered
Institute’s Guidance on
Effective Internal Audit in
Financial Services (which
has become known as
‘the Code’) has played an
important part in raising Contents
expectations of internal
audit in UK financial services 3 Introduction from the Chair
organisations, and in promoting
good practice. 5 Context
The revised text contained in this second edition reflects
6 The Guidance
the recommendations of the independent committee
chaired by Mike Ashley, chair of the audit committee at
Barclays, which the Institute was happy to accept in full. 11 The independent review committee

The changes to the text are outlined in Mike Ashley’s

introduction.

The fact that these changes are relatively modest

in scope highlights that the Code is considered by
key stakeholders across the sector as being both
fundamentally sound and highly relevant: but we hope
that the amendments will provide some additional
clarity on the principles and their application.

For our part, the Chartered Institute will, over the coming
year, provide a range of additional practical material
for boards and practitioners on interpretation and
implementation of the provisions, aimed in particular at
assisting smaller internal audit teams.

Finally, I would like to thank Mike Ashley and the

members of his committee for all their hard work and
deliberation; and to all of those from across the financial
services sector who took the time and trouble to
engage with the review process, and whose feedback
has shaped the new edition of the Code. We commend
it to all.

Dr Ian Peters MBE

Chief Executive

Page 2 | Guidance on Effective Internal Audit in the Financial Services Sector

Introduction from the Chair
When the committee that I chaired launched its review It emphasises that it is the responsibility of internal
of the Code in September 2016, we set out to answer audit to assess not only the processes followed
three broad questions: by the first and second lines of defence in the
organisation, but also the quality of their work, and
• Whether the Code had achieved its original objectives; that the scope of internal audit needs to be reviewed
regularly to take account of new and emerging risks
• Whether it needed to be amended or updated in the
(paragraph 6)
light of experience; and
It requires internal audit to report each year to the
• What action was now needed to improve further
audit committee, in the context of its opinion on
the effectiveness of internal audit in financial services
the overall control environment, on whether the
organisations.
organisation’s framework for risk appetite is being
We were very pleased by the level of engagement with adhered to right across the business (paragraph 6c)
our review from the industry – from heads of internal
It emphasises that, in relation to the culture of the
audit and their teams, financial services firms, audit
organisation, internal audit needs to look at whether
committee chairs and other non-executives, professional
observed behaviours across the organisation are in
services firms and regulators – and from all parts of the
line with the formally espoused values, ethics, risk
sector, involving insurers and asset managers as well as
appetite and policies of the business (paragraph 6d)
banks; both in the course of two formal consultation
phases and in a series of roundtable and other outreach It spells out the requirement for internal audit to look
events. The interest in, and enthusiasm for, the Code at the outcomes of processes (paragraph 6h), not
was striking. only at their design
The clear message from stakeholders was that the Code It says that internal audit’s reporting to the audit
had achieved all or most of its original objectives, and committee should include reviewing any relevant
crucially that it had been instrumental in supporting post-mortem or ‘lessons learned’ analyses following
real improvements in internal audit across the sector. It significant adverse events at an organisation,
remains both highly relevant and fundamentally sound. including the roles of the key actors (paragraph 8)
There were, however, a few areas where stakeholders It spells out the requirement for internal audit to
and the committee both felt that the Code would evaluate the effectiveness of other functions such as
benefit from modest amendment, either to make risk management or compliance before deciding to
explicit points which may not have been clear enough what extent it can take account of their work, either in
to all, or to underline particular important aspects of performing its initial risk assessment or in determining
best practice. its own level of audit testing (paragraph 11)
The updated text published here therefore includes In addition to the consideration in the annual
some changes, the most significant of which are appraisal by the audit committee chair of the chief
described below: internal auditor’s objectivity and independence, it
requires this explicitly to be discussed with the audit
It makes clear that it is the responsibility of internal
committee each year after the chief internal auditor
audit to come to its own view about how the
has been in post for seven years (paragraph 17)
audit universe for its own organisation should be
structured, in the light of the structure and risk And it makes clear that, whatever the size of a
profile of the organisation concerned (paragraph 4) financial services organisation and its internal audit
team, the internal audit function should be subject
It underlines that it is for internal audit to decide
to an independent and objective external assessment
(subject to approval by the audit committee) which
at least every five years (paragraph 28).
areas should or need not be covered in the regular
audit plan, on the basis of its own assessment of risk
(paragraph 4)

Guidance on Effective Internal Audit in the Financial Services Sector | Page 3

As to the question of what now needs to be done to And continued support from the regulators is vital.
drive further improvements in internal audit in financial We would also welcome more detailed use of the
services, my committee’s view is very clear: revised Code within the supervisory teams when
considering what constitutes good practice.
Chief internal auditors and audit committee chairs
need to expect and demand more from internal The Code has made a real difference to internal audit
audit teams in all the areas covered by the Code, in UK financial services since 2013; we very much
building on the significant progress achieved so far hope that, with the active and continued support and
commitment of all parties, the updated Code can make
While the Chartered Institute of Internal Auditors an even greater difference in the years ahead.
has produced some valuable technical guidance
on certain aspects of the Code, it needs to produce
Mike Ashley
more practical material on the application and
Chair of the independent review committee
implementation of its provisions, aimed in particular
at assisting smaller internal audit teams

The Chartered Institute, professional services firms

and financial services organisations themselves
should seek new ways to promote benchmarking and
the sharing of best practice, building in particular on
external quality assessments

Page 4 | Guidance on Effective Internal Audit in the Financial Services Sector

Context
The recommendations which follow are aimed at context specific to the financial services sector; and
enhancing the overall effectiveness of Internal Audit, seeking to increase the effectiveness and impact of
and its impact, within the firms operating in the Internal Audit in organisations in that sector by clarifying
financial services sector in the UK. They can be regarded expectations and requirements.
as a benchmark of good practice against which firms
can assess their Internal Audit function. The intended The recommendations are principles-based, rather
audience for this publication includes Chief Internal than establishing detailed rules. They are written in
Auditors, executive and non-executive directors, and in the context of a reasonably-sized company operating
particular members of Audit and Risk Committees, and within the UK regulated financial services sector. Small
regulatory bodies. companies and branches of non-UK headquartered
organisations in particular might need to make some
The recommendations should be applied in conjunction modifications to the detail, in the light of their size,
with the existing International Professional Practices risk profile and internal organisation, and the nature,
Framework published by the global Institute of Internal scope and complexity of their operations: but all should
Auditors, which includes the International Standards for comply with the principles.
the Professional Practice of Internal Auditing (‘the IIA
Standards’). They build on those Standards, providing

Guidance on Effective Internal Audit in the Financial Services Sector | Page 5

The Guidance
Internal Audit should make a risk-based decision as
[A] Role and mandate of Internal Audit
to which areas within its scope should be included
in the audit plan – it does not necessarily have to
1. The primary role of Internal Audit should be to help cover all of the scope areas every year. Its judgement
the Board and Executive Management to protect on which areas should be covered in the audit plan,
the assets, reputation and sustainability of the and on the frequency and method of audit cycle
organisation. coverage, should be subject to approval by the
Audit Committee.
It does this by assessing whether all significant
risks are identified and appropriately reported 5. Internal Audit coverage and planning.
by Management and the Risk function to the
Board and Executive Management; assessing Internal Audit plans, and material changes to
whether they are adequately controlled; and by Internal Audit plans, should be approved by the
challenging Executive Management to improve the Audit Committee. They should have the flexibility
effectiveness of governance, risk management and to deal with unplanned events to allow Internal
internal controls. The role of Internal Audit should Audit to prioritise emerging risks. The changes,
be articulated in an Internal Audit Charter, which to the audit plan should be considered in light of
should be publicly available. Internal Audit’s ongoing assessment of risk.

2. The Board, its Committees and Executive 6. Scope of Internal Audit.

Management should set the right ‘tone at the top’
The scope of Internal Audit’s work should be
to ensure support for, and acceptance of, Internal
regularly reviewed to take account of new and
Audit at all levels of the organisation.
emerging risks. Where relevant, Internal Audit
should assess not only the process followed by the
[B] Scope and priorities of Internal Audit organisation’s first and second lines of defence, but
also the quality of their work.

3. Internal Audit’s scope should be unrestricted. As a minimum, Internal Audit should include within
its scope the following areas:
There should be no aspect of the organisation which
Internal Audit should be restricted from looking at as a.
Internal governance
it delivers on its mandate. Whilst it is not the role of
Internal Audit to second guess the decisions made Internal Audit should include within its scope
by the Board and its Committees, its scope should the design and operating effectiveness of the
include information presented to the Board and its internal governance structures and processes of
Committees as discussed further below. the organisation.

4. Risk assessments and prioritisation of Internal b.

The information presented to the Board and
Audit work. Executive Management for strategic and
operational decision making
In setting its scope, Internal Audit should form its
own judgement on how best to segment the audit Internal Audit should include within its scope
universe given the structure and risk profile of the the processes and controls supporting strategic
organisation. It should take into account business and operational decision making. It should
strategy and should form an independent view of assess whether the information presented to
whether the key risks to the organisation have been the Board and Executive Management fairly
identified, including emerging and systemic risks, represents the benefits, risks and assumptions
and assess how effectively these risks are being associated with the strategy and corresponding
managed. Internal Audit’s independent view should business model.
be informed, but not determined, by the views of
Management or the Risk function. In setting out
its priorities and deciding where to carry out more
detailed work, Internal Audit should focus on the
areas where it considers risks to be higher.

Page 6 | Guidance on Effective Internal Audit in the Financial Services Sector

 c.
The setting of, and adherence to, risk appetite g.
Key corporate events

Internal Audit is not responsible for setting the Examples of key corporate events could
risk appetite but should assess whether the risk include significant business process changes,
appetite has been established and reviewed introduction of new products and services,
through the active involvement of the Board and outsourcing decisions and acquisitions/
Executive Management. It should assess whether divestments. Internal Audit should decide if
risk appetite is embedded within the activities, these events are sufficiently high risk to warrant
limits and reporting of the organisation; and it involvement on a real time basis. In doing so,
should report annually to the Audit Committee Internal Audit will evaluate whether the key risks
its conclusions on whether the organisation’s are being adequately addressed (including by
risk appetite framework is being adhered to. other forms of assurance, e.g. third party due
diligence) and reported. Internal Audit should
d.
The risk and control culture of the organisation also assess whether the information being used
in such key decision making is fair, balanced and
Internal Audit should include within its scope the
reasonable, and whether the related procedures
risk and control culture of the organisation. This
and controls have been followed.
should include assessing whether the processes
(e.g. appraisal and remuneration), actions (e.g. h.
Outcomes of processes
decision making), ‘tone at the top’ and observed
behaviours across the organisation are in line Internal Audit should evaluate the design and
with the espoused values, ethics, risk appetite operating effectiveness of the organisation’s
and policies of the organisation. policies and processes. In doing so, it should not
adopt a ‘tick box’ approach based purely on the
Internal Audit should consider the attitude design of processes and controls, and should
and assess the approach taken by all levels of always consider the actual outcomes which
Management to risk management and internal result from their application, assessed against
control. This should include Management’s the espoused values, ethics, risk appetite and
actions in addressing known control deficiencies policies of the organisation.
as well as Management’s regular assessment of
controls.

e.
Risks of poor customer treatment, giving rise to
conduct or reputational risk

Internal Audit should evaluate whether the

organisation is acting with integrity in its
dealings with customers and in its interaction
with relevant markets.

Internal Audit should evaluate whether

Business and Risk Management are adequately
designing and controlling products, services
and supporting processes in line with customer
interests and conduct regulation.

f.
Capital and liquidity risks

Internal Audit should include within its scope

the modelling and management of the
organisation’s capital and liquidity risks.

Guidance on Effective Internal Audit in the Financial Services Sector | Page 7

[C] Reporting Results [D] Interaction with Risk Management, Compliance
and Finance
7. Internal Audit should be present at, and issue reports
to the appropriate governing bodies, including the 9. Effective Risk Management, Compliance and
Board Audit Committee, the Board Risk Committee Finance functions are an essential part of an
and any other Board Committees as appropriate. organisation’s corporate governance structure.
The nature of the reports will depend on the remits Internal Audit should be independent of these
of the respective governing bodies. functions and be neither responsible for, nor part
of, them.
8. Internal Audit’s reporting to the Board Audit and/or
Risk Committees should include: 10. Internal Audit should include within its scope an
assessment of the adequacy and effectiveness of
• a focus on significant control weaknesses and the Risk Management, Compliance and Finance
breakdowns together with a robust root-cause functions. In evaluating the effectiveness of
analysis. Internal Audit’s reports should identify internal controls and risk management processes,
owners, accountabilities and timescales for each in no circumstances should Internal Audit rely
management action; exclusively on the work of Risk Management,
• any thematic issues identified across the Compliance or Finance. Internal Audit should
organisation; always examine, for itself, an appropriate sample
of the activities under review.
• an independent view of Management’s reporting
on the risk management of the organisation, 11. Internal Audit should exercise informed judgement
including a view on Management’s remediation as to what extent it is appropriate to take account
plans (which might include restricting further of relevant work undertaken by others, such as Risk
business until improvements have been Management, Compliance or Finance in either its
implemented), highlighting areas where there risk assessment or determination of the level of
are significant delays; audit testing of the activities under review. Any
judgement which results in less intense Internal
• a review of any post-mortem and Audit scrutiny should only be made after an
‘lessons learned’ analysis if a significant evaluation of the effectiveness of that function in
adverse event has occurred at an organisation relation to the area under review.
(for example, a regulatory breach). Any such
review should assess both the role of the first
and second lines of defence and Internal Audit’s [E] Independence and Authority
own role; and of Internal Audit

• at least annually, an assessment of the overall

12. The Chief Internal Auditor should be at a senior
effectiveness of the governance, and risk and
enough level within the organisation (normally
control framework of the organisation, and
expected to be at Executive Committee or
its conclusions on whether the organisation’s
equivalent) to give him or her the appropriate
risk appetite framework is being adhered to,
standing, access and authority to challenge the
together with an analysis of themes and trends
Executive. Subsidiary, branch and divisional Heads
emerging from Internal Audit work and their
of Internal Audit should also be of a seniority
impact on the organisation’s risk profile.
comparable to the senior Management whose
activities they are responsible for auditing.

13. Internal Audit should have the right to attend

and observe all or part of Executive Committee
meetings and any other key management decision
making fora.

Page 8 | Guidance on Effective Internal Audit in the Financial Services Sector

14. Internal Audit should have sufficient and timely 19. Subsidiary (including ring-fenced bank), branch
access to key management information and a and divisional Heads of Internal Audit should report
right of access to all of the organisation’s records, primarily to the Group Chief Internal Auditor,
necessary to discharge its responsibilities. while recognising local legislation or regulation
as appropriate. This includes the responsibility for
In organisations in which the Internal Audit setting budgets and remuneration, conducting
function is outsourced, the Chair of the Audit appraisals and reviewing the audit plan. The
Committee should identify an appropriate Group Chief Internal Auditor should consider
individual responsible for ensuring that the Chief the independence, objectivity and tenure of the
Internal Auditor has sufficient and timely access to subsidiary, branch or divisional Heads of Internal
key management information and decisions. Audit when performing their appraisals.
15. The primary reporting line for the Chief Internal 20. If Internal Audit has a secondary Executive reporting
Auditor should be to the Chair of the Audit line, this should be to the CEO in order to preserve
Committee. In exceptional circumstances, the independence from any particular business area or
Board may wish for Internal Audit to report directly function and to establish the standing of Internal
to the Chair of the Board, or delegate responsibility Audit alongside the Executive Committee members.
for the reporting line to the Chair of the Board Risk
Committee, provided the Chair of the Board Risk
Committee and all the other Committee members [F] Resources
are independent Non-Executive Directors. The
reporting line must avoid any impairment to
Internal Audit’s independence and objectivity. 21. The Chief Internal Auditor should ensure that the
audit team has the skills and experience, including
16. The Audit Committee should be responsible for technical subject matter expertise, commensurate
appointing the Chief Internal Auditor and removing with the scale of operations and risks of the
him/her from post. organisation. This may entail training, recruitment,
secondment from other parts of the organisation or
17. The Chair of the Audit Committee should be co-sourcing with external third parties.
accountable for setting the objectives of the Chief
Internal Auditor and appraising his/her performance 22. The Chief Internal Auditor should provide the Audit
at least annually. It would be expected that the Committee with a regular assessment of the skills
objectives and appraisal would take into account required to conduct the work needed, and whether
the views of the Chief Executive. This appraisal the Internal Audit budget is sufficient to recruit and
should consider the independence, objectivity retain staff or procure other resources with the
and tenure of the Chief Internal Auditor. Where expertise, experience and objectivity necessary
the tenure of the Chief Internal Auditor exceeds to provide effective challenge throughout the
seven years, the Audit Committee should explicitly organisation and to the Executive.
discuss annually the Chair’s assessment of the Chief
Internal Auditor’s independence and objectivity. 23. The Audit Committee should be responsible for
approving the Internal Audit budget and, as part of
18. The Chair of the Audit Committee should be the Board’s overall governance responsibility, should
responsible for recommending the remuneration disclose in the annual report whether it is satisfied
of the Chief Internal Auditor to the Remuneration that Internal Audit has the appropriate resources.
Committee. The remuneration of the Chief Internal
Auditor and Internal Audit staff should be structured
in a manner such that it avoids conflicts of interest,
does not impair their independence and objectivity
and should not be directly or exclusively linked to
the short term performance of the organisation.

Guidance on Effective Internal Audit in the Financial Services Sector | Page 9

 28. In addition, the Audit Committee should obtain
[G] Quality Assessment
an independent and objective external assessment
at appropriate intervals, irrespective of the size
24. The Board or the Audit Committee is responsible of the organisation. This could take the form of
for evaluating the performance of the Internal periodic reviews of elements of the function, or a
Audit function on a regular basis. In doing so it will single review of the overall function. In any event,
need to identify appropriate criteria for defining the the Internal Audit function as a whole should as a
success of Internal Audit. Delivery of the audit plan minimum be subject to a review at least every five
should not be the sole criterion in this evaluation. years, as set out in the International Professional
Practice Framework for Internal Audit. The
25. Internal Audit should maintain an up-to-date set conformity of Internal Audit with this guidance
of policies and procedures, and performance should be explicitly included in this evaluation.
and effectiveness measures for the Internal Audit The Chair of the Audit Committee should oversee
function. Internal Audit should continuously and approve the appointment process for the
improve these in light of industry developments. independent assessor.
26. Internal Audit functions of sufficient size should
develop a quality assurance capability, with
the work performed by individuals who are [H] Relationships with Regulators
independent of the delivery of the audit. The
individuals performing the assessments should 29. Nature and purpose of the relationship
have the standing and experience to meaningfully
challenge Internal Audit performance and to ensure The Chief Internal Auditor, and other senior managers
that Internal Audit judgements and opinions are within Internal Audit, should have an open, constructive
adequately evidenced. and co-operative relationship with regulators which
supports sharing of information relevant to carrying
The scope of the quality assurance review should out their respective responsibilities.
include Internal Audit’s understanding and
identification of risk and control issues, in addition
to the adherence to audit methodology and [I] Wider Considerations
procedures. This may require the use of resource
from external parties. The quality assurance work 30. The Chartered Institute of Internal Auditors should
should be risk-based to cover the higher risks of the develop practical materials for Internal Auditors
organisation and of the audit process. The results of on the application and implementation of specific
these assessments should be presented directly to aspects of this guidance, aimed in particular at
the Audit Committee at least annually. smaller institutions. Such material should focus on
27. Where the Internal Audit function is outsourced to examples of good practice, and should not be seen
an external provider, Internal Audit’s work should as adding to the requirements of this guidance. In
be subject to the same quality assurance work as particular, less well established areas for Internal
the in-house functions. The results of this quality Audit activity would benefit from such material.
assurance work should be presented to the Audit 31. The Chartered Institute of Internal Auditors should
Committee at least annually for review. commission further independent reviews of this
guidance every five years, in the light of further
experience, with a view to deciding whether any
further changes are required.

Page 10 | Guidance on Effective Internal Audit in the Financial Services Sector

The independent review committee
Mike Ashley (Chair) Chair of the Audit Committee, Barclays; Chair, Government Internal Audit Agency

Brendan Nelson Chair of the Audit Committee, RBS

Julia Wilson Senior Independent Director, Legal and General, Director of Finance, 3i

James Turner Director of Group Finance, Prudential

Pam Kaur Group Head of Internal Audit, HSBC Holdings

Tom Deane Director of Audit, Tesco Bank

Attending the committee

Stephen Brown Chief Internal Auditor, Bank of England

Lalitha Henry Head of Internal Audit, Financial Conduct Authority

Paul George Executive Director of Corporate Governance and Reporting, Financial Reporting Council

Dr Ian Peters Chief Executive, Chartered Institute of Internal Auditors

Support to the committee

Alisdair McIntosh Director of Policy and External Relations, Chartered Institute of Internal Auditors

Harjeet Powar Senior Manager, EMEIA Financial Services, EY

Guidance on Effective Internal Audit in the Financial Services Sector | Page 11

About the Chartered Institute
of Internal Auditors
The Chartered IIA is the only body focused exclusively on internal auditing and we
are passionate about supporting, promoting and training the professionals who work
in it. We have been leading the profession of internal auditing for over 65 years. Our
International Standards and Code of Ethics unite a global community of over 180, 000
internal auditors in 170 countries. We are committed to enhancing the recognition and
professionalism of internal audit in the UK and Ireland, through:

• Dynamic leadership of the profession which maximises our members’ reputation

and influence individually and collectively.

• Technical excellence through our International Standards and Code of Ethics.

• All members across the globe work to the same International Standards
and Code of Ethics.

• We have almost 10,000 members in all sectors in the UK and Ireland.

• High quality support to our members throughout their careers, which enables
them to continually develop their professional knowledge, skills and experience and
provides other services of value to members in their roles.

These things, enacted through our staff, members and volunteers and with the support
of our suppliers and partners, make a significant and unique contribution to the success
of all organisations.

More information on the Chartered IIA is available at iia.org.uk

iia.org.uk
Chartered Institute
of Internal Auditors
13 Abbeville Mews
88 Clapham Park Road
London SW4 7BX
tel 020 7498 0101
fax 020 7978 2492
email [email protected]
© September 2017.
Information can be
made available in
other formats.

Guidance on Effective Internal Audit in the Financial Services Sector