My response to the Chartered IIA's consultation on an Audit Code of Practice

Internal Audit Code of Practice: Consultation

I am pleased to submit my personal response to the consultation on a new Internal Audit Code of Practice from the Chartered Institute of Internal Auditors. The Financial Services Code has certainly had an impact, and I am supportive of the Institute's move to publish a Code to a wider audience. 

In particular I believe there is an opportunity with the publication of the Code to help raise audit committees' expectations of internal audit through their increased understanding of the profession.

In forming my response, I have drawn on my views both as an internal auditor and as a non-executive director and audit committee chair.

Yours, 

Rachel Bowden

ThinkingAudit Ltd



1. Which companies, organisations and sectors should the new Internal Audit Code of Practice cover and what should its scope be? 

Ideally the Code of Practice should apply to all organisations that are large enough to have an internal audit activity, those which are required to have internal audit, and those which have decided to have an internal audit function. If the IIA were to list organisations that should follow the Code, realistically this could reference:

• Listed companies
• Large private companies (aligned to the scope of such businesses which come under the scope of the Wates Corporate Governance Principles for Large Private Companies). 
• The public sector, making particular reference reference to those organisations which are required to follow the Public Sector Internal Audit Standards (PSIAS).
• Not-for-profit organisations where there is an expectation for an internal audit service to be in place (including larger housing associations, universities, large charities)

Given that there is already a Financial Services Code, which has been well received and has helped raise the profile of both the Chartered Institute and Internal Audit in that sector, it may be useful for different versions of the Code to be available (perhaps making at the minimum a separate version for the public sector to be able to refer to PSIAS). 

It will be important for the success of the Code for it to reach audit committee and board members, and therefore even if one version of the Code a communication plan that targets these groups with targeted messages relevant to their sectors would be useful.

2. How far should there be independence between the second and third lines of defence? 

This is not an area where it is easy to be prescriptive; it may depend on the size and complexity of the organisation as to whether it is appropriate for internal audit to have any involvement (other than providing objective assurance) with second-line functions.

The 'Internal Audit role in ERM' graphic which the Institute has used for a number of years and which was then adopted in to IIA Global's guidance is a useful reference here and perhaps could be adapted to explain the different relationships that internal audit may have with second-line functions.

3. Should internal audit have the right to attend and observe Executive Committee meetings? 

Yes.

4. Should the new Code include guidance and best practice on the outsourcing of internal audit provision? 

No. This would be useful guidance for the Institute to issue, but the Code is not the appropriate place for this guidance as it would detract from the core messages of the Code.

I suggest that the Code includes a clear statement that the Code, and indeed the full International Professional Practices Framework (IPPF), applies to outsourced services as well as to in house internal audit functions, and that where an outsourced service is in place that it is the responsibility of the board and / or audit committee to ensure that an appropriate internal audit service is in place and that the provider is conforming with the IPPF and meeting the requirements of the Code.

If the Institute does decide to develop guidance on outsourcing it would be useful to have two sets of guidance: 

• one for those providing the outsourced services to set expectations and to clarify some areas such as what constitutes an appropriate external assessment where internal audit is outsourced; and 
• guidance for Senior Management and Audit Committees who are procuring, receiving and managing an outsourced internal audit service.

5. Should the secondary executive reporting line be to the CEO, or should we adopt a more flexible approach in the new Code? 

The Code needs to be realistic, and therefore could make reference to a secondary reporting line to the CEO, or another senior member of the executive team who is able to fulfil a similar role. However the secondary reporting line to the CEO should still remain the ideal position, and if not then even with an alternative secondary reporting line, internal auditors must have access to the CEO when required.

6. Should the new Code include guidance on how an internal audit function may provide assurance services where it had previously performed consulting services? 

The Code is not the appropriate place for detailed guidance on providing assurance services where internal audit has previously performed consulting services. There is already guidance within the IPPF both within the Standards and implementation guidance, and the Code should not become a replacement for any element of the IPPF.

However, as with many points in the Code, it is unlikely that all audit committee members will have detailed knowledge of the IPPF, and therefore some reference to this as a requirement within the Code (rather than detailed guidance) is useful to help audit committees fully understand this area.

7. Are there any other matters which should be addressed in the Internal Audit Code of Practice? 

Other matters to be addressed in the Code:

A1: clarify what is meant by the internal audit charter being 'publicly available'

A2: does not mention audit committee (which is in alignment with the IPPF which always refers to the board). However A4 then refers to audit committee. It would be useful if A2 were to also refer to audit committee.

G29 / G30: It would be useful to explicitly state that as outsourced internal audit services must meet the same quality assurance and improvement programme (QAIP) requirements as in-house internal audit functions, that this includes the five-yearly external assessment element of QAIP.

Other areas where the Institute may wish to issue guidance:

E19: it would be useful to provide guidance or further comment on the assessment of the head of internal audit's independence where their tenure exceeds seven years.