Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors 1

Internal Audit Code of Practice

Guidance on effective internal audit in
the private and third sectors

January 2020
1 Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors

Foreword from the Council from the President

We are pleased to publish our Internal Audit Code of Practice which

provides guidance on effective internal audit in the private and third
sectors. The Code is principles-based, and is intended as an industry
benchmark, to help embed good practice internal audit and raise the bar
across the profession.

The guidance contained within the Code represents exercise resulted in a high level of engagement
the final recommendations of the independent and debate on how to enhance internal audit’s role
Internal Audit Code of Practice Steering Committee, as a cornerstone of good corporate governance,
which the Institute has accepted in full and now with seventy written responses received by the
commends to the boards and internal audit committee to the consultation.
professionals of all private and third sector
organisations operating in the UK. The publication of this new guidance is both
important and timely, given recent high-profile
The publication of this new Code further builds on corporate collapses linked to governance
the Chartered IIA’s vital work in developing a similar deficiencies, most notably Carillion in January
Code of Practice for financial services firms, which 2018, which has led to a wide-ranging review of the
has been a great success in improving the scope, audit and corporate governance framework. This
skills and status of internal audit. Our ambition is creates an opportunity to enhance internal audit’s
that the Internal Audit Code of Practice delivers the role in supporting non-executive and executive
same for the profession working outside of financial management, in organisations across the private
services in the private and third sectors. and third sectors, to manage and mitigate their risks
more effectively.
The independent Steering Committee which
oversaw the development of the Code was chaired We therefore urge boards, and in particular
by Brendan Nelson, the Audit Committee Chair of audit committees, to embrace the key principles
BP (and formerly of RBS), who was also involved contained within the Code, so as to enhance the
in the development of our Financial Services effectiveness of their internal audit functions. This
Code and so the work really benefitted from that will help internal audit to maximise its value and
previous experience. Other committee members deliver its true potential.
included audit committee chairs and chief internal
auditors representing a diverse range of businesses Finally, we would like to express our sincere
from different sectors and sizes, along with the thanks to the members of the committee for their
involvement of the Financial Reporting Council as commitment, tenacity and diligence in developing
an observer. the Code. We have no doubt that their exceptional
work will deliver a more influential and effective
The final recommendations contained within the internal audit profession, as well as contribute to
Code were made following a thorough twelve- better corporate governance in the UK.
week public consultation process in which the
independent committee engaged and gathered The Council
the views of a range of stakeholders including
internal audit professionals, executive and non-
executive directors, professional bodies, business
groups and the professional services firms. The
Contents

Foreword from the Council 1

Message from the Chair 3

The Guidance 4

The independent Steering Committee 9

Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors 3

Message from the Chair

The publication of the Internal Audit Code of Practice represents the

final and unanimous recommendations of the independent Steering
Committee established by the Chartered Institute of Internal Auditors.
The aim of the guidance is to increase the effectiveness of internal audit
functions in the private and third sectors.

Building on the success of the Chartered IIA’s For the Code now to be implemented successfully
Guidance on Effective Internal Audit in the and for its recommendations to be effective, it is
Financial Services Sector (“Financial Services critical that it is actively supported by all relevant
Code”) we hope that this new Code has a similar stakeholders. In particular this will require chief
impact at raising the scope, skills and status of the internal auditors, audit committee chairs (and
internal audit profession across a broader range members), boards and executive management
of private and third sector organisations. In turn working collaboratively in partnership to ensure
it should help to promote and strengthen good the principles and recommendations contained
corporate governance. within the Code are applied appropriately.
I urge them to do just that.
The final Code has been issued following a full and
comprehensive public consultation exercise which Finally, I would like to offer my thanks to the
attracted a strong response from stakeholders, members and observers of the independent
including seventy written responses submitted to Steering Committee for all their excellent work.
the draft version of the Code that we published in
July 2019. Indeed, the committee was impressed by Brendan Nelson,
the level of thought and consideration that went Chair, Internal Audit Code of Practice
into the responses, and the overall support for the Steering Committee
Code further validated the process. The committee
has now considered carefully the results of the
consultation, listened to the views of stakeholders,
and made a number of changes as a consequence
of that feedback.

One of the key themes from the written responses

and in the one to one meetings we conducted
with stakeholders, was the need for the Code to
be modified to make it clearer that it should be
applied proportionately, dependent on the size and
complexity of the organisation. In response we have
put greater emphasis on this and made it clearer in
the introduction section of the Code.
4 Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors

The Guidance

Introduction 5. The Code is principles-based. It is expected

that the procedural requirements of the
Code should be applied proportionately, and
The purpose of the Code therefore smaller organisations should apply
1. The recommendations which follow are the principles on which the Code is based
aimed at enhancing the overall effectiveness and its procedural requirements in light of
of internal audit, and its impact, within their size, risk profile and internal organisation
organisations operating in the UK and Ireland. and the nature, scope and complexity of
They can be regarded as a benchmark of good their operations.
practice against which organisations can assess
their internal audit function. A. Role and mandate of internal audit

Who is it for? 6. The primary role of internal audit should be to

help the board and executive management to
2. The intended audience for the Code of Practice protect the assets, reputation and sustainability
includes chief internal auditors, executive of the organisation.
and non-executive directors, and in particular
members of audit and risk committees, and It does this by assessing whether all significant
where appropriate regulatory bodies. risks are identified and appropriately reported
by management to the board and executive
3. The Code is intended to be applied by all management; assessing whether they are
organisations in the private and third sectors adequately controlled; and by challenging
with an internal audit function and an audit executive management to improve the
committee of independent non-executive effectiveness of governance, risk management
directors or their equivalent. It is based on and internal controls. The role of internal
Effective Internal Audit in the Financial Services audit should be articulated in an internal audit
Sector (‘Financial Services Code’), but internal charter, which should be publicly available.
audit functions in financial services should
continue to follow the ‘Financial Services Code’ 7. The board, its committees and executive
which contains provisions which are specific management should set the right ‘tone at the
to financial services. Whilst it may prove useful top’ to ensure support for, and acceptance of,
for internal audit in the public sector, it is not internal audit at all levels of the organisation.
drafted with the public sector specifically in
mind and public sector internal audit functions B. Scope and priorities of internal audit
should continue to follow the Public Sector
Internal Audit Standards. 8. Internal audit’s scope should be unrestricted.

How should it be applied? There should be no aspect of the organisation

which internal audit should be restricted
4. The Code of Practice should be applied in from looking at as it delivers on its mandate.
conjunction with the existing International Whilst it is not the role of internal audit to
Professional Practices Framework (IPPF) second guess the decisions made by the board
published by the Global Institute of Internal and its committees, its scope should include
Auditors, which includes the International information presented to the board and its
Standards for the Professional Practice of committees as discussed further below.
Internal Auditing (‘the IIA Standards’). The
Code builds on those Standards; and seeks 9. Risk assessments and prioritisation of internal
to increase the effectiveness and impact of audit work.
internal audit within organisations by clarifying
expectations and requirements.
Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors 5

In setting its scope, internal audit should form Internal audit should include within its scope
its own judgement on how best to segment the processes and controls supporting strategic
the audit universe given the structure and risk and operational decision-making. It should
profile of the organisation. It should take into assess whether the information presented to
account business strategy and should form an the board and executive management fairly
independent view of whether the key risks to represents the benefits, risks and assumptions
the organisation have been identified, including associated with the viability of the strategy and
emerging and systemic risks, and assess how corresponding business model.
effectively these risks are being managed.
Internal audit’s independent view should be c. The setting of, and adherence to, the risks the
informed, but not determined, by the views of entity is willing to accept (risk appetite).
management. In setting out its priorities and
deciding where to carry out more detailed work, Internal audit is not responsible for setting the
internal audit should focus on the areas where it risk appetite but should assess whether the
considers risks to be higher. risk appetite has been established and reviewed
through the active involvement of the board
Internal audit should make a risk-based and executive management. It should assess
decision as to which areas within its scope whether risk appetite is embedded within
should be included in the audit plan – it does the activities, limits and reporting of
not necessarily have to cover all of the scope the organisation; and it should report annually
areas every year. Its judgement on which areas to the audit committee its conclusions on
should be covered in the audit plan, and on whether the organisation’s risk appetite is
the frequency and method of audit cycle being adhered to.
coverage, should be subject to approval by
the audit committee. d. The risk and control culture of the organisation.

10. Internal audit coverage and planning. Internal audit should include within its scope
the risk and control culture of the organisation.
Internal audit plans, and material changes to This should include assessing whether the
internal audit plans, should be approved by the processes (e.g. appraisal and remuneration),
audit committee. They should have the flexibility actions (e.g. decision-making), ‘tone at the
to deal with unplanned events to allow internal top’ and observed behaviours across the
audit to prioritise emerging risks. Changes to organisation are in line with the espoused
the audit plan should be considered in light of values, ethics, risk appetite and policies of
internal audit’s ongoing assessment of risk. the organisation.

11. Scope of internal audit. Internal audit should consider the attitude
and assess the approach taken by all levels
The scope of internal audit’s work should be of management to risk management
regularly reviewed to take account of new and and internal control. This should include
emerging risks. Where relevant, internal audit management’s actions in addressing known
should assess not only the process followed control deficiencies as well as management’s
by the organisation’s first and second lines of regular assessment of controls.
defence, but also the quality of their work.
e. Key corporate events.
As a minimum, internal audit should include
within its scope the following areas: Examples of key corporate events could
include significant business process changes,
a. Internal governance. introduction of new products and services,
outsourcing decisions and acquisitions/
Internal audit should include within its scope divestments. Internal audit should decide on
the design and operating effectiveness of the a timely basis if these events are sufficiently
internal governance structures and processes of high risk to warrant involvement. In doing so,
the organisation. internal audit will evaluate whether the key risks
are being adequately addressed (including by
b. The information presented to the board and other forms of assurance, e.g. due diligence)
executive management for strategic and and reported. Internal audit should also assess
operational decision-making. whether the information being used in such key
6 Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors

decision-making is fair, balanced and reasonable, with an analysis of themes and trends
and whether the related procedures and controls emerging from internal audit work and their
have been followed. impact on the organisation’s risk profile.

f. Outcomes of processes. D. Interaction with risk management,

Internal audit should evaluate the design and
compliance and finance
operating effectiveness of the organisation’s
14. In most organisations there will be some
policies and processes. In doing so, it should
functions (e.g. finance, HR, compliance, legal,
not adopt a ‘tick box’ approach based purely
health & safety and risk management) whose
on the design of processes and should always
responsibilities include designing and/or
consider the actual outcomes which result
operating controls over risks which arise in
from their application, assessed against the
other parts of the organisation. Functions with
espoused values, ethics, risk appetite and
such control responsibilities have substantial
policies of the organisation.
potential to contribute to the effectiveness of
governance, risk management and internal
C. Reporting results controls in an organisation.

12. Internal audit should be present at, and issue 15. Internal audit should include within its scope an
reports to the relevant governing bodies, assessment of the adequacy and effectiveness
including the board audit committee, and any of the control functions. This assessment should
other board committees as appropriate. The involve informed judgement as to what extent
nature of the reports will depend on the remits it is appropriate to take account of relevant
of the respective governing bodies. work undertaken by others, such as risk
management, compliance or finance in either its
13. Internal audit’s reporting to the board audit and risk assessment or in the determination of the
any other board committees should include: level of audit testing required for the activities
under review. Any judgement which results in
• a focus on significant control weaknesses less intensive internal audit scrutiny should only
and breakdowns together with a robust be made after an appropriate evaluation of the
root-cause analysis. Internal audit’s reports effectiveness of that specific function in relation
should identify owners, accountabilities and to the area under review.
timescales for each management action;
16. The objectivity of internal audit is strongest
• any thematic issues identified across the if it is neither responsible for, nor part of, the
organisation; “control” functions and such separation is to
be preferred. However, the purpose and skills
• an independent view of management’s of internal audit is complementary to that of
reporting on the risk management of the “control” functions and, in some cases,
the organisation, including a view on organisations may assign responsibility for
management’s remediation plans (which some “control” functions to the chief internal
might include restricting further business auditor. A common example is for a joint head
until improvements have been implemented) of risk and internal audit.
highlighting areas where there are
significant delays; 17. In cases where the chief internal auditor has
been assigned some other “control” functions
• a review of any post-mortem and ‘lessons the audit committee should ensure that the
learned’ analysis if a significant adverse event additional responsibilities of the chief
has occurred at an organisation. Any such internal auditor:
review should assess both the role of the
first and second lines of defence and internal a. do not undermine his/her ability to give
audit’s own role; and appropriate attention to their internal
audit responsibilities.
• at least annually, an assessment of the overall
effectiveness of the governance, and risk and b. do not impair his/her independence
control framework of the organisation, and from management.
its conclusions on whether the organisation’s
risk appetite is being adhered to, together
Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors 7

c. are appropriately documented in the expected that the objectives and appraisal
internal audit charter. would take into account the views of the
chief executive. This appraisal should consider
18. The board should also recognise that the the independence, objectivity and tenure of
chief internal auditor is not able to make an the chief internal auditor. Where the tenure of
objective assessment of the effectiveness of the chief internal auditor exceeds seven years,
the additional functions for which he/she has the audit committee should explicitly discuss
responsibility and that it may be desirable annually the chair’s assessment of the chief
to commission an external assessment of internal auditor’s independence and objectivity.
those functions.
25. The chair of the audit committee should
E. Independence and authority of be responsible for recommending the
remuneration of the chief internal auditor to the
internal audit remuneration committee. The remuneration of
the chief internal auditor and internal audit staff
19. The chief internal auditor should be at a senior
should be structured in a manner such that it
enough level within the organisation to give
avoids conflicts of interest, does not impair their
him or her the appropriate standing, access and
independence and objectivity and should not be
authority to challenge the executive. Subsidiary,
directly or exclusively linked to the short-term
branch and divisional heads of internal audit
performance of the organisation.
should also be of a seniority comparable to the
senior management whose activities they are
26. Subsidiary, branch and divisional heads of
responsible for auditing.
internal audit should report primarily to the
group chief internal auditor, while recognising
20. Internal audit should have the right to attend
local legislation or regulation as appropriate.
and observe all or part of executive committee
This includes the responsibility for setting
meetings and any other key management
budgets and remuneration, conducting
decision-making fora. This enables internal
appraisals and reviewing the audit plan.
audit to understand better the strategy of
The group chief internal auditor should consider
the business, key business issues and decisions,
the independence, objectivity and tenure of
and to adjust internal audit priorities where
the subsidiary, branch or divisional heads of
appropriate. It also facilitates a better working
internal audit when performing their appraisals.
relationship with executive committee members.
27. If internal audit has a secondary reporting line,
21. Internal audit should have sufficient and timely
this should be to someone who promotes,
access to key management information and a
supports and protects internal audit’s
right of access to all of the organisation’s records
independent and objective voice. Ordinarily
necessary to discharge its responsibilities.
this should be the CEO in order to preserve
independence from any particular business
In organisations in which the internal audit
area or function and to establish the standing
function is outsourced this Code still applies,
of internal audit alongside the executive
and the chief internal auditor should always be
committee members. However, with the
employed directly by the organisation to ensure
agreement of the chair of the audit committee
they have sufficient and timely access to key
the secondary reporting line could be to
management information and decisions.
another member of executive management.
22. The primary reporting line for the chief
internal auditor should be to the chair of F. Resources
the audit committee.
28. The chief internal auditor should ensure that
23. The audit committee should be responsible the audit team has the skills and experience,
for appointing the chief internal auditor and including technical subject matter expertise,
removing him/her from post. commensurate with the scale of operations
and risks of the organisation. This may entail
24. The chair of the audit committee should be training, recruitment, secondment from other
accountable for setting the objectives of the parts of the organisation or co-sourcing with
chief internal auditor and appraising his/her external third parties.
performance at least annually. It would be
8 Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors

29. The chief internal auditor should provide the 34. Where the internal audit function is outsourced
audit committee with a regular assessment of to, or co-sourced with, an external provider,
the skills required to conduct the work needed, internal audit’s work should be subject to the
and whether the internal audit budget is same QAIP work as an in-house function.
sufficient to recruit and retain staff or procure The results of this QAIP work should be
other resources with the expertise, experience presented to the audit committee at least
and objectivity necessary to provide effective annually for review. Chief internal auditors
challenge throughout the organisation and to should report regularly to the audit committee
the executive. on the actions or progress implementing the
outcomes of the review.
30. The audit committee should be responsible for
approving the internal audit budget and, as part 35. In addition, the audit committee should
of the board’s overall governance responsibility, obtain an independent and objective external
should disclose in the annual report whether quality assessment at appropriate intervals,
it is satisfied that internal audit has the irrespective of the size of the organisation.
appropriate resources. This could take the form of periodic reviews of
elements of the function, or a single review of
G. Quality Assurance and Improvement the overall function. In any event, the internal
audit function as a whole should as a minimum
Programme (QAIP) be subject to a review at least every five years,
as set out in the International Professional
31. The board or the audit committee is responsible
Practices Framework (IPPF) for internal audit.
for evaluating the performance of the internal
The conformity of internal audit with this
audit function on a regular basis. In doing so
guidance should be explicitly included in this
it will need to identify appropriate criteria for
evaluation. The chair of the audit committee
defining the success of internal audit. Delivery
should oversee and approve the appointment
of the audit plan should not be the sole criterion
process for the independent assessor.
in this evaluation.
36. The external quality assessment should
32. Internal audit should maintain an up-to-date
consider and report on compliance with
set of policies and procedures, and
this Code as well as with the International
performance and effectiveness measures for
Professional Practices Framework (IPPF) and
the internal audit function. Internal audit
the International Standards for the
should continuously improve these in light
Professional Practice of Internal Auditing
of industry developments.
(‘the IIA Standards’).
33. Internal audit functions of sufficient size
should develop a quality assurance and H. Relationship with Regulators
improvement programme, with the work
performed by individuals who are independent 37. The chief internal auditor should consider the
of the delivery of the audit. The individuals impact of the regulatory environment and
performing the assessments should have have an open, constructive and cooperative
the standing and experience to meaningfully relationship with relevant regulators.
challenge internal audit performance and to
ensure that internal audit judgements and I. Relationship with External Audit
opinions are adequately evidenced.
38. The chief internal auditor and the partner
The scope of the QAIP review should responsible for external audit should ensure
include internal audit’s understanding and appropriate and regular communication and
identification of risk and control issues, in sharing of information.
addition to the adherence to audit methodology
and procedures. This may require the use of
resource from external parties. The quality
assurance work should be risk-based to cover
the higher risks of the organisation and of the
audit process. The results of these assessments
should be presented directly to the audit
committee at least annually.
Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors 9

The independent Steering Committee

Brendan Nelson Byron Grote David Lindsell Carolyn Clarke

Audit Committee Chair, BP Audit Committee Chair, Audit Committee Chair, Head of Audit,
(Committee Chair) Tesco and Drax Group and Risk and Control,
Anglo American Cancer Research UK Centrica

Paul Kaczmar Angela O’Hara Colin Gray

Director of Internal Audit, Director Assurance & Risk, Senior Vice President,
Michael Page Johnson Matthey Risk and Assurance,
InterContinental
Hotels Group

Observers to the Committee Support to the Committee

Paul Boyle, Chairman, Gavin Hayes, Head of Policy and External Affairs,
Protect (Committee Adviser) Chartered IIA

Paul George, Executive Director, Liz Sandwith, Chief Professional Practices

Corporate Governance & Reporting, Adviser, Chartered IIA
Financial Reporting Council

Dr Ian Peters MBE, Chief Executive,

Chartered IIA
About the Chartered Institute
of Internal Auditors
The Chartered Institute of Internal Auditors is the only
professional body dedicated exclusively to training,
supporting and representing internal auditors in the
UK and Ireland.

We have 10,000 members in all sectors of the economy.

First established in 1948, we obtained our Royal Charter in

2010. Over 2,000 members are Chartered Internal Auditors
and have earned the designation CMIIA. About 1,000 of our
members hold the position of head of internal audit and the
majority of FTSE 100 companies are represented among our
membership.

Members are part of a global network of 200,000 members

in 170 countries, all working to the same International
Standards and Code of Ethics.

Chartered Institute of
Internal Auditors
13 Abbeville Mews
88 Clapham Park Road
London SW4 7BX

tel 020 7498 0101

email [email protected]

Further guidance on this Code and frequently asked questions

will be made available on the Institute’s website.