Parliamentary briefing:

An introduction to
internal audit

Issued: Tuesday 12 September 2023

What is internal audit and why should it matter to parliamentarians?

As a parliamentarian, it is helpful for you to understand the role and value of internal audit in promoting greater
accountability, transparency, effective risk management and good corporate governance across the public, private
and third sectors.

Everyone will have heard of auditors, and for many this will mean what is technically known as external audit.
External auditors analyse and test financial accounts to ensure the financial statements give a true and fair view of
the financial situation of an organisation. As the name suggests, these auditors must be external to the organisation
whose accounts are being audited.

Internal audit is there to provide independent assurance that an organisation's risk management, governance and
internal control processes are operating effectively. Often, although not always, internal auditors are employed
directly by the organisation. When they are not, they are usually referred to as outsourced or co-sourced internal
audit.

The risks that an internal auditor looks at are not just financial risks, but also non-financial risks like cybersecurity,
supply chains and ESG-related risks including climate change and even assessing the corporate culture or diversity
and inclusion initiatives.

Internal audit are independent from the operations they evaluate and they report to the highest level in an
organisation: senior managers and the board (or governing body). This is why typically, internal audit reports to the
audit committee.

Read on to learn more about how internal audit plays a key role in protecting jobs, investments, and growth across
all sectors of our economy.

What do internal auditors do: Assessing the management of risk

Internal auditors independently evaluate and assess an organisation’s management of risk. All organisations face
risks, for example, risks to the organisation’s reputation if it treats customers or employees incorrectly, health and
safety risks, risks of supplier failure, risks associated with market failure, cybersecurity, and financial risks to name
some key areas.

To evaluate how well risks are being identified, managed, and mitigated the internal auditor will assess the quality of
risk management processes, systems of internal control and corporate governance processes, across all parts of an
organisation and report this directly and independently to the most senior level of executive management and to the
board’s audit committee.

What do internal auditors do: Assisting management in improving internal controls

An internal auditor’s knowledge of the management of risk also enables them to act as a consultant providing advice
and acting as a catalyst for improvement in an organisation’s practices. So, for example, if a line manager is
concerned about a particular area of responsibility, working with the internal auditor could help to identify
improvements. Or perhaps a major new project is being undertaken – the internal auditor can help to ensure that
project risks are clearly identified and assessed with action taken to manage them.

Where does internal audit add value?

Internal audit carries out independent risk assessments and provides independent assurance that the controls and
measures put in place to manage and mitigate these risks are effective.

Here are some of the ways internal audit supports organisations:

 Risks How does internal audit add value?
Fraud Internal audit conducts risk assessments, recommends fraud detection
procedures, and helps ensure compliance with anti-fraud policies. These
measures help internal audit identify vulnerabilities, detect fraudulent activities,
and recommend improvements to reduce the likeliness and impact of fraud.
Cybersecurity & Internal audit plays a crucial role in supporting the organisation to mitigate
data security cybersecurity and data security risks. By conducting systematic assessments,
internal audit can identify weaknesses in cybersecurity controls and measures and
recommend improvements.
Legal and Internal audit plays a vital role in monitoring compliance with laws and regulations.
regulatory By supporting adherence with legal and regulatory requirements, internal auditors
compliance assist organisations in mitigating legal and reputational risks.
Climate change Internal audit can support the management and mitigation of climate change and
and ESG ESG risks by conducting independent assessments of the organisation's
(Environmental, sustainability practices, carbon footprint, climate transition and ESG compliance.
Social and Internal audit can recommend adopting environmentally friendly practices,
Governance) promoting ethical conduct and responsible corporate behaviour.

Human capital, Internal audit can evaluate the effectiveness of recruitment, retention and
diversity and employee development strategies. By identifying gaps and recommending
talent improvements, internal audit helps the organisation optimise its human capital
management potential, assessing diversity, equality and inclusion, and reducing risks
associated with talent acquisition and workforce retention.

Geopolitical & Internal audit can play a role in independently evaluating and assessing the
macroeconomic organisation's preparedness for geopolitical and macroeconomic events and the
associated risks. By analysing and evaluating geopolitical and macroeconomic
risks, internal auditors can provide advice and recommend risk mitigation
strategies.

What types of organisations have internal audit?

In the UK and Ireland, the requirement for having an internal audit function is not universal across all types of
organisations. Whether or not an organisation has an internal audit function will largely depend on its size,
complexity, and risk profile. However, certain types of organisations and businesses are mandated or encouraged to
have internal audit functions.

Organisations Requirement for an internal audit function

Public sector Central government departments, local authorities, and other public sector
organisations bodies are often required to have internal audit functions to ensure
accountability and compliance with public finance regulations.
Financial services The Prudential Regulation Authority (PRA) and the Financial Conduct
sector Authority (FCA) are the regulatory bodies responsible for overseeing
financial institutions in the UK. The PRA Rulebook1 and the FCA Handbook
set out the regulatory requirements for financial institutions, including the
expectations for risk management, governance, control, and internal audit.
Publicly listed The decision for an internal audit function is typically left to the company's
companies and public management and board of directors. The UK Corporate Governance Code 2,
interest entities (PIEs) issued by the Financial Reporting Council (FRC), sets out principles related
to corporate governance for listed companies. While it does not mandate

1
The Prudential Regulation Authority ‘PRA Rulebook’ https://www.prarulebook.co.uk/
2
Financial Conduct Authority ‘UK Corporate Governance Code’ https://www.frc.org.uk/getattachment/88bd8c45-50ea-4841-95b0-
d2f4f48069a2/2018-UK-Corporate-Governance-Code-FINAL.pdf
 internal audit, it emphasises the importance of “reviewing the effectiveness
of the company's internal audit function or, where there is not one,
considering annually whether there is a need for one and making a
recommendation to the board”.
Charities and Non-Profit The Charity Commission for England and Wales3 issues guidance
organisations regarding internal controls and governance for charities. The Charity
Commission states “Depending on your charity’s size and complexity, you
may need an internal audit function and/or audit committee. This is different
to a statutory or external audit.” It goes on to say if you do not have an audit
function or committee because your charity is small you should regularly
review whether an internal audit function is needed and have other
appropriate ways to check your internal financial controls are working.
Energy sector Recently Ofgem strengthened its Financial Responsibility Principle 4 (FRP)
meaning that energy suppliers should have an internal audit function. The
FRP outlines “Where internal audit capability is not present, suppliers
should provide an explanation for its absence and how independent internal
assurance is achieved, as well as consider annually whether there is a need
for internal audit capability, including making recommendations to the
board.”

The difference between internal and external audit

External Audit Internal audit

Reports to Shareholders or members who are The board and senior management
outside the organisation's who are within the organisation's
governance structure. governance structure.
Objectives Add credibility and reliability to Evaluate and improve the
financial reports from the effectiveness of governance, risk
organisation to its stakeholders by management and control processes.
giving opinions on the report. This provides members of the
boards/senior management with
assurance that helps them fulfil their
duties.
Coverage Financial reports, financial reporting All categories of risk, their
risks. management, including reporting on
them.
Responsibility for None. However, there is a duty to Improvement is fundamental to the
improvement report problems. purpose of internal auditing. But it is
done by advising, coaching and
facilitating in order to not undermine
the responsibility of management.

Contact us

We hope that you find this briefing useful in understanding the role and value of internal audit. For any enquiries
regarding this briefing or if you would like to set up a meeting to find out more about how we can support your work
as a parliamentarian please contact:

Gavin Hayes, Head of Policy and External Affairs at [email protected] OR 020 7498 0101.

3
Gov.UK ‘The Charity Commission https://www.gov.uk/government/publications/internal-financial-controls-for-charities-
cc8/internal-financial-controls-for-charities#internal-audit-functions-and-audit-committees
4
OFGEM ‘Financial Responsibility Principle’ https://www.ofgem.gov.uk/publications/decision-strengthening-financial-resilience