0758 Effective Internal Audit Financial Webfinal

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Effective Internal

Non Executive Directors (NEDs)


Audit in the Financial
and the Management of Risk
A survey of heads of internal audit

Services Sector
Recommendations from the Committee
on Internal Audit Guidance for
Financial Services
July 2013
Contents

Foreword from the Chief Executive 3


Message from the Chairman 4
Introduction and context 5
Recommendations of the Committee (The Guidance) 6
Basis for conclusions 11
Committee membership 15

2
Foreword from the Chief Executive

The guidance contained within financial crisis and more recent governance, risk
this document represents the final management and internal control failures within
recommendations of the Committee on the financial services sector – notably the June
Internal Audit Guidance for Financial Services, 2013 report of the Parliamentary Committee on
which the Institute has accepted in full and Banking Standards Commission – emphasise that
now commends to the Boards and Internal a more influential internal audit function can
Audit practitioners of all organisations play a more significant role in supporting Non-
operating in the UK financial services sector. Executive and Executive Management of financial
services organisations to manage risks better.
Chaired by Roger Marshall, the Audit Committee
Chair of a FTSE 100 insurance group and a So I hope that Boards and particularly Audit
director of the accountancy standards setter, Committees will embrace the spirit and principles
the Financial Reporting Council (FRC), our of this new guidance, so that the Internal Audit
Committee was an independent, industry led profession may deliver its full value to them.
body which the Institute created specifically for
the purpose of developing this guidance. The Finally, I should like to thank the members of the
group was designed to embrace Non-Executives, Committee for their diligence and commitment
Executives, Internal Audit practitioners and the to the task of producing their recommendations.
regulatory and standard setters’ perspectives. Despite a challenging delivery timetable, they
Together they achieved a high level of debate have promulgated a comprehensive debate about
and engagement across the financial services the role of Internal Audit in financial services
sector on the issues of Internal Audit’s role in organisations and achieved a high level of
supporting the management of risk. The result engagement on the issues, across the industry.
is the set of thorough, thoughtful and scalable
recommendations contained within these pages.

This new guidance is important because Dr Ian Peters


conclusions drawn on the causes of the Chief Executive

3
Message from the Chairman

We have pleasure in issuing our final The Committee agrees and has included
recommendations aimed at fostering an overall paragraph in the Introduction
effective internal audit in the financial and Context section making this clear.
services sector.
Whilst we have addressed our recommendations
This follows a lengthy consultation exercise to the Chartered Institute of Internal
which started in September 2012. We issued Auditors we appreciate that many of them
our draft proposals on 11 February 2013 and can only be implemented by Boards, Audit
have been struck not only by the number of Committees and Executive Management.
responses but also by the thought and care
which have gone into preparing them. The We hope that some of the recommendations will
Committee has considered the responses in be useful outside the financial services sector. We
detail and our final recommendations have have written separately to the Financial Reporting
been modified as a result. In some cases we Council recommending that they consider whether
realised that the principle was supported but additional guidance is needed on what should be
that the wording was unclear but in other cases expected from a good Internal Audit function.
more significant changes have been made.
Finally I would like to extend my thanks
We have included a basis for conclusions section to the Members and Observers of the
in this document, which includes the main themes Committee and to our secretary, Chris
of the responses and how we dealt with them. Spedding, for all their diligent work.

A key feature of the responses was the need


for proportionality in the way in which Roger Marshall
the recommendations are implemented. Chairman of the Committee

4
Introduction and context

The recommendations included in the The guidance aims to establish principles rather
following guidance are made by the than detailed rules. Nevertheless it is written
Committee to the Chartered Institute of Internal in the context of a reasonable sized company
Auditors in the UK with the aim of enhancing operating within the UK regulated financial
the overall effectiveness of Internal Audit, services sector. Smaller companies and branches
and its impact within the firms operating in of non-UK headquartered organisations in
the financial services sector in the UK. The particular may need to make modifications to
guidance can be regarded as an additional the detail of the principles whilst complying
benchmark against which firms can measure with their spirit. The guidance is assumed to
their Internal Audit function. The intended be interpreted and implemented in a manner
audience for this guidance includes Chief and to the extent that is appropriate to a firm’s
Internal Auditors, Executive and Non-Executive size, risk profile, internal organisation and the
Directors and the Regulatory bodies. nature, scope and complexity of its activities.

The guidance should be applied in conjunction Wherever possible, the guidance has attempted
with the existing Institute of Internal Auditors to use layman’s language to define terms
International Professional Practices Framework open to ambiguity or differing application,
(IPPF), which includes the International e.g. “assurance”, “three lines of defence”
Standards for the Professional Practice of and “reporting line”. To a great extent, the
Internal Auditing (the IIA Standards). The guidance has also avoided recommendations
recommendations contained in this guidance on the application and implementation of
aim to build on the IIA Standards, providing the principles included. Given organisational
financial services context to the existing IIA and industry specific factors, and a
Standards, and to increase the effectiveness variety of potential audit approaches, the
and impact of internal audit in high risk areas Committee did not feel it was appropriate
of financial services organisations by clarifying to mandate best practice of application.
expectations and requirements of internal audit.

5
Recommendations of the Committee
(The Guidance)

[A] Role and mandate of assess how effectively these risks are being
Internal Audit managed. Internal audit’s independent view
should be informed, but not determined,
1. The primary role of Internal Audit should by the views of management or the Risk
be to help the Board and Executive function. In setting its priorities and deciding
Management to protect the assets, reputation where to carry out more detailed work,
and sustainability of the organisation. Internal Audit should focus on the areas
where it considers risk to be higher.
It does this by assessing whether all significant
risks are identified and appropriately reported Internal Audit should make a risk-based
by management and the Risk function to decision as to which areas within its scope
the Board and Executive Management; should be included in the audit plan – it
assessing whether they are adequately does not necessarily have to cover all of
controlled; and by challenging Executive the potential scope areas every year.
Management to improve the effectiveness of
governance, risk management and internal 5. Internal Audit planning
controls. The role of Internal Audit should
be articulated in an Internal Audit Charter, Internal Audit plans, and material changes
which should be publicly available. to Internal Audit plans, should be approved
by the Audit Committee. They should
2. The Board, its Committees and Executive have the flexibility to deal with unplanned
Management should set the right “tone at the events to allow Internal Audit to prioritise
top” to ensure support for, and acceptance of, emerging risks. Changes to the audit plan
Internal Audit at all levels of the organisation. should be considered in light of Internal
Audit’s ongoing assessment of risk.
[B] Scope and priorities 6. Scope of Internal Audit
of Internal Audit
Internal Audit should include within
3. Internal Audit’s scope should be unrestricted its scope the following areas:

There should be no aspect of the organisation a. Internal governance


which Internal Audit should be restricted from
looking at as it delivers on its mandate. Whilst Internal Audit should include
it is not the role of Internal Audit to second within its scope the design and
guess the decisions made by the Board, its operating effectiveness of the
scope should include information presented internal governance structures and
to the Board as discussed further below. processes of the organisation.

4. Risk assessments and prioritisation b. The information presented to the Board


of Internal Audit work and Executive Management for strategic
and operational decision making
In setting its scope, Internal Audit should take
into account business strategy and should Internal Audit should include within
form an independent view of whether the key its scope the processes and controls
risks to the organisation have been identified, supporting strategic and operational
6 including emerging and systemic risks, and
decision making. It should assess Internal Audit should evaluate whether
whether the information presented to Business and Risk Management are
the Board and Executive Management adequately designing and controlling
fairly represents the benefits, risks and products, services and supporting
assumptions associated with the strategy processes in line with customer
and corresponding business model. interests and conduct regulation.

c. The setting of, and adherence f. Capital and liquidity risks


to, risk appetite
Internal Audit should include within
Internal Audit is not responsible for setting its scope the management of the
the risk appetite but should assess whether organisation’s capital and liquidity risks.
the risk appetite has been established and
reviewed through the active involvement g. Key corporate events
of the Board and Executive Management.
It should assess whether risk appetite is Examples of key corporate events could
embedded within the activities, limits include significant business process
and reporting of the organisation. changes, introduction of new products
and services, outsourcing decisions
d. The risk and control culture and acquisitions/divestments. Internal
of the organisation Audit should decide if these events
are sufficiently high risk to warrant
Internal Audit should include within its involvement on a real time basis. In
scope the risk and control culture of doing so, Internal Audit will evaluate
the organisation. This should include whether the key risks are being adequately
assessing whether the processes (e.g. addressed (including by other forms of
appraisal and remuneration), actions (e.g. assurance, e.g. third party due diligence)
decision making) and “tone at the top” and reported. Internal Audit should
are in line with the values, ethics, risk also assess whether the information
appetite and policies of the organisation. being used in such key decision making
is fair, balanced and reasonable, and
Internal Audit should consider the whether the related procedures and
attitude and assess the approach taken controls have been followed.
by all levels of management to risk
management and internal control. h. Outcomes of processes
This should include Management’s
actions in addressing known control Internal Audit should evaluate the design
deficiencies as well as Management’s and operating effectiveness of the
regular assessment of controls. organisation’s policies and processes.
As part of this evaluation, Internal Audit
e. Risks of poor customer treatment, giving should consider whether the outcomes
rise to conduct or reputational risk achieved by the implementation of
these policies and processes are in
Internal Audit should evaluate whether line with the objectives, risk appetite
the organisation is acting with integrity and values of the organisation.
in its dealings with customers and in
its interaction with relevant markets. 7
[C] Reporting results Compliance and Finance functions. In
evaluating the effectiveness of internal
7. Internal Audit should be present at, and controls and risk management processes, in
issue reports to the appropriate governing no circumstances should Internal Audit rely
bodies, including the Board Audit Committee, exclusively on the work of Risk Management,
the Board Risk Committee and any other Compliance or Finance. Internal Audit should
Board Committees as appropriate. The always examine, for itself, an appropriate
nature of the reports will depend on the sample of the activities under review.
remits of the respective governing bodies.
11. Internal Audit should exercise informed
8. Internal Audit’s reporting to the Board Audit judgement as to when to place reliance on
and Risk Committees should include: the work of Risk Management, Compliance
or Finance. To the extent that Internal
• a focus on significant control Audit places reliance on the work of Risk
weaknesses and breakdowns together Management, Compliance or Finance, that
with a robust root-cause analysis; should only be after a thorough evaluation
• any thematic issues identified of the effectiveness of that function in
across the organisation; relation to the area under review.
• an independent view of Management’s
reporting on the risk management [E] Independence and authority
of the organisation, including a view of Internal Audit
on Management’s remediation plans
(which might include restricting further 12. The Chief Internal Auditor should be at a
business until improvements have been senior enough level within the organisation
implemented) highlighting areas where (normally expected to be at Executive
there are significant delays; and Committee or equivalent) to give him
• at least annually, an assessment of the or her the appropriate standing, access
overall effectiveness of the governance, and authority to challenge the Executive.
and risk and control framework of the Subsidiary, branch and divisional Heads of
organisation, together with an analysis Internal Audit should also be of a seniority
of themes and trends emerging from comparable to the senior management whose
Internal Audit work and their impact activities they are responsible for auditing.
on the organisation’s risk profile.
13. Internal Audit should have the right to
[D] Interaction with Risk attend and observe all or part of Executive
Management, Compliance Committee meetings and any other key
and Finance management decision making fora.

9. Effective Risk Management, Compliance 14. Internal Audit should have sufficient
and Finance functions are an essential part and timely access to key management
of an organisation’s corporate governance information and a right of access to all
structure. Internal Audit should be of the organisation’s records, necessary
independent of these functions and be to discharge its responsibilities.
neither responsible for, nor part of, them.
In organisations in which the Internal
8 10. Internal Audit should include within its Audit function is outsourced, the Chair
scope an assessment of the adequacy and of the Audit Committee should identify
effectiveness of the Risk Management, an appropriate individual responsible for
ensuring that the Chief Internal Auditor to the Group Chief Internal Auditor, while
has sufficient and timely access to key recognising local legislation or regulation as
management information and decisions. appropriate. This includes the responsibility
for setting budgets and remuneration,
15. The primary reporting line for the Chief conducting appraisals and reviewing
Internal Auditor should be to the Chairman the audit plan. The Group Chief Internal
of the Audit Committee. In exceptional Auditor should consider the independence,
circumstances, the Board may wish for Internal objectivity and tenure of the subsidiary,
Audit to report directly to the Chairman of branch or divisional Heads of Internal
the Board, or delegate responsibility for the Audit when performing their appraisals.
reporting line to the Chairman of the Board
Risk Committee, provided the Chairman 20. If Internal Audit has a secondary Executive
of the Board Risk Committee and all the reporting line, this should be to the CEO in
other Committee members are independent order to preserve independence from any
Non-Executive Directors. The reporting particular business area or function and
line must avoid any impairment to Internal to establish the standing of Internal Audit
Audit’s independence and objectivity. alongside the Executive Committee members.

16. The Audit Committee should be responsible [F] Resources


for appointing the Chief Internal Auditor
and removing him/her from post. 21. The Chief Internal Auditor should ensure
that the audit team has the skills and
17. The Chairman of the Audit Committee experience commensurate with the
should be accountable for setting the risks of the organisation. This may entail
objectives of the Chief Internal Auditor training, recruitment, secondment from
and appraising his/her performance. It other parts of the organisation or co-
would be expected that the objectives and sourcing with external third parties.
appraisal would take into account the views
of the Chief Executive. This appraisal should 22. The Chief Internal Auditor should provide
consider the independence, objectivity the Audit Committee with a regular
and tenure of the Chief Internal Auditor. assessment of the skills required to conduct
the work needed, and whether the Internal
18. The Chairman of the Audit Committee Audit budget is sufficient to allow the
should be responsible for recommending function to recruit and retain staff with
the remuneration of the Chief Internal the expertise and experience necessary
Auditor to the Remuneration Committee. to provide effective challenge throughout
The remuneration of the Chief Internal the organisation and to the Executive.
Auditor and Internal Audit staff should be
structured in a manner such that it avoids 23. The Audit Committee should be responsible
conflicts of interest, does not impair their for approving the Internal Audit budget and,
independence and objectivity and should as part of the Board’s overall governance
not be directly or exclusively linked to the responsibility, should disclose in the annual
short term performance of the organisation. report whether it is satisfied that Internal
Audit has the appropriate resources.
19. Subsidiary, branch and divisional Heads
of Internal Audit should report primarily
9
[G] Quality assessment 28. In addition, the Audit Committee should
obtain an independent and objective external
24. The Board or the Audit Committee is assessment at appropriate intervals. This
responsible for evaluating the performance of could take the form of periodic reviews of
the Internal Audit function on a regular basis. elements of the function, or a single review
In doing so it will need to identify appropriate of the overall function. The conformity of
criteria for defining the success of Internal Internal Audit with the recommendations
Audit. Delivery of the audit plan should not included in this guidance should be
be the sole criterion in this evaluation. explicitly included in this evaluation. The
Chairman of the Audit Committee should
25. Internal Audit should maintain an up-to- oversee and approve the appointment
date set of policies and procedures, and process for the independent assessor.
performance and effectiveness measures
for the Internal Audit function. Internal [H] Relationships with regulators
Audit should continuously improve these
in light of industry developments. 29. Nature and purpose of the relationship

26. Internal Audit functions of sufficient The Chief Internal Auditor, and other senior
size should develop a quality assurance managers within Internal Audit, should have
capability, with the work performed by an open, constructive and co-operative
individuals who are independent of the relationship with regulators which supports
delivery of the audit. The individuals sharing of information relevant to carrying
performing the assessments should have the out their respective responsibilities.
standing and experience to meaningfully
challenge Internal Audit performance and
to ensure that Internal Audit judgements
and opinions are adequately evidenced.

The scope of the quality assurance Wider considerations


review should include Internal Audit’s
understanding and identification of risk 30. The Chartered Institute of Internal
and control issues, in addition to the Auditors should consider developing
adherence to audit methodology and additional guidance on the application and
procedures. This may require the use of implementation of the recommendations
resource from external parties. The quality detailed in this guidance. In particular, less
assurance work should be risk-based to well established areas for Internal Audit
cover the higher risks of the organisation activity, such as auditing culture and outcomes
and of the audit process. The results of these would benefit from additional guidance.
assessments should be presented directly
to the Audit Committee at least annually. 31. This Committee recommends that the
Chartered Institute of Internal Auditors
27. Where the Internal Audit function is should review this guidance after a period of
outsourced to an external provider, Internal two to three years, and consider amending
Audit’s work should be subject to the same or updating the guidance as required.
quality assurance work as the in-house
functions. The results of this quality assurance
10 work should be presented to the Audit
Committee at least annually for review.
Basis for conclusions

On 11 February 2013, the Committee on issues raised by respondents to the consultation


Internal Audit Guidance for Financial Services paper, and contain a rationale for the Committee
issued a consultation paper containing a set of recommendations included in the final guidance.
draft recommendations to the Chartered Institute
of Internal Auditors. There was a two month [A] Role and mandate of
consultation period, ending on 12 April 2013. Internal Audit
The Committee received a large number of The Institute of Internal Auditors definition of
responses which included the views of Chief Internal Auditing is “an independent, objective
Internal Auditors, Non-Executive Directors, assurance and consulting activity designed to add
Executives and Risk Managers. The responses value and improve an organisation’s operations.
came from organisations across the financial It helps an organisation accomplish its objectives
services sector, including banks, insurers, by bringing a systematic, disciplined approach
building societies, asset managers and to evaluate and improve the effectiveness of risk
professional services firms, and from a range of management, control and governance processes”.
Trade Associations and professional bodies.
The Committee supports this definition,
In total, over 100 written responses were received, and emphasises the primary role of Internal
the majority of which (unless otherwise requested Audit is to protect the organisation. At the
by the respondent) have been made available discretion of the Audit Committee, Internal
for public review via the Chartered Institute Audit can perform other roles and activities
of Internal Auditors website (www.iia.org.uk/ within the organisation, but not at the
policy/policy-initiatives/financial-services). expense of helping the Board and Executive
Management to protect the assets, reputation
In addition to these written responses, the and sustainability of the organisation.
Committee hosted or attended numerous
consultation meetings and events to discuss the In response to consultation feedback, this
consultation paper with Internal Audit practitioners, section was amended to emphasise that
Non-Executive Directors and Executive the responsibility for the protection of the
Management. The consultation responses, organisation lies with the Board and Executive
and feedback from these sessions, have also Management. Internal Audit should support
contributed to the finalisation of the guidance. the Board and Executive Management
in discharging this responsibility. The
The majority of responses received supported final guidance also brings to the fore the
the overall objective of the initiative and the importance of “tone at the top” supporting
direction of the guidance, recognising that Internal Audit in delivering this mandate.
improving the effectiveness and impact of internal
audit can help strengthen risk management, Some consultation responses also questioned
governance and control in financial services. the Committee’s recommendation that
Accordingly, the objectives and direction of the Internal Audit Charter should be made
the guidance have not been substantively publicly available. The rationale for this
changed as a result of the consultation. recommendation is to provide clarity and
transparency to customers and investors
The amendments to the draft recommendations around the role and mandate of Internal
were made in response to feedback that Audit. This is aligned to the expectation that
highlighted recommendations that were potentially the Terms of Reference of the Committees
ambiguous or open to misinterpretation. The 11
of the Board be made publicly available.
sections below explain the more significant
[B] Scope and priorities were in response to inconsistencies across
of Internal Audit the industry around the nature, quality
and frequency of formal reporting from
In response to consultation feedback, Internal Audit to Board Audit Committees
the Committee have amended the and especially Board Risk Committees.
recommendations to clarify that Internal
Audit should not “second guess” the [D] Interactionwith Risk
decisions of the Board of Directors. The Management, Compliance
Committee has recommended that the Audit and Finance
Committee should ultimately be responsible
for approving the activity of Internal Audit. The feedback received in the consultation
process requested additional explanation
The IIA Standards require Internal Audit to around the relative roles of Internal Audit, Risk
be free from interference in determining the Management, Compliance and Finance. The
scope of their audit work. Whilst it is common Committee is not promoting a duplication of
for Internal Audit Charters to mandate an role or purpose between Internal Audit and
unrestricted scope, some Internal Audit Risk, Compliance or Finance. The Committee
functions did not include in their audit universe has recommended that Internal Audit should
or risk assessments some of the processes, have an enterprise-wide remit and mandate,
risks and events that were central to the and this must mean assessing the adequacy
problems faced by the financial services sector and effectiveness of the Risk Management,
in recent years. The Committee agrees with Compliance, and Finance functions.
the principle of an unrestricted scope, and, for
the avoidance of doubt, the guidance set out The Committee agreed with the consultation
areas of scope which were found to have been responses which argued that as well as Boards
restricted in some organisations, in practice receiving reports from Risk Management,
even if not in principle. This is not to say that Compliance and Finance, an additional
these areas should take priority over more perspective on risk management, governance
commonly audited / business-as-usual risk and control issues from Internal Audit is
areas, such as credit, operational or regulatory healthy and to be encouraged. The objective
risks. Feedback prompted the Committee of this section of guidance was, in part,
to stress that the guidance does not require to address a perceived misunderstanding
Internal Audit to cover every area contained of “combined” or “integrated” assurance
in the audit universe every year, although models. Internal Audit must have an
they will be considered in Internal Audit’s risk enterprise-wide remit – “the assurance map”
assessment and prioritisation of audit activity. cannot be carved up between the Internal
Audit, Risk and Compliance functions.
[C] Reporting results
[E] Independence and authority
The Committee separated the matters relating
to reporting lines between the provision of
of Internal Audit
direction to, and oversight of, Internal Audit
This section of the guidance addresses the
(for example on matters covered in section E
factors that can influence Internal Audit
such as budget, approval of audit plans and
work, and the conditions in which an Internal
performance appraisal) and the reporting
Audit function can most effectively influence
12 of information by Internal Audit which is
the organisation in which it operates.
covered in this section C. The Committee’s
recommendations around reporting results
The Committee recommends that Internal In response to feedback received, the
Audit plays a stronger role in supporting Committee considered the application of
the Board of Directors to discharge its this guidance to financial services institutions
responsibility to protect the organisation. The that have outsourced the internal audit
Committee recognised that Internal Audit function to an external provider.
must have sufficient standing and access
to Executive Management, to perform its For smaller organisations this often proves
role. Whilst the guidance has recommended to be a more effective and practical way
that Internal Audit should have the right to of securing access to expertise, experience
attend Executive Committee meetings and and skills that they would not normally
any other key decision making fora, in line be able to attract to an in-house function.
with the IIA Standards on independence, the The guidance also explicitly recognises
Committee does not support Internal Audit the need for proportionality for different
attending in a decision making capacity. This types, and complexities of organisation.
attendance is intended to help Internal Audit
to gain an understanding of the business and [F] Resources
its strategy, and to provide its perspectives
on risk and control. The Committee stopped The Committee recognise that the guidance
short of mandating attendance at these may have significant implications for the
key management fora, with attendance resource requirements of Internal Audit.
determined at the professional discretion of Increasing the expectations of Internal Audit,
the Chief Internal Auditor as they see fit to particularly in areas such as independent
discharge their responsibilities effectively. identification of key risks (including emerging
and systemic risks) challenging Executive
The Committee received feedback relating Management, exercising judgment over
to the interpretation of the recommendation technical areas such as risk appetite, governance
relating to the remuneration of Chief Internal and culture, and assessing outcomes of
Auditor. The guidance is consistent with processes, requires a different, and potentially
existing regulatory guidance around the increased mix of skills and experience.
remuneration of personnel working in the
control functions of financial institutions. The need for such skills and experience will be
The Committee did not deem it necessary to driven by the risk profile of each organisation,
prescribe additional guidance in this area. and should be informed by emerging risks in
the industry. It is important to emphasise that
The consultation paper recommended the resources and skills within the function
that “in order to protect the objectivity and should be determined by the risk assessment
independence of Internal Audit, the Audit and audit plan, and not vice versa – a criticism
Committee should determine an appropriate of some audit functions was that their primary
interval to consider the need to change the Chief focus was on the areas that they could audit, as
Internal Auditor and should have a similar policy opposed to the areas that they should audit.
for divisional and subsidiary heads”. In response
to feedback received, this recommendation [G] Quality assessment
has been amended to focus primarily on
the objectivity and independence of the Recommendation 26 has built on the
Chief Internal Auditor, rather than on the IIA Standards to emphasise that Internal
need to change the Chief Internal Auditor. Audit’s quality assessment activity must
13
include “Internal Audit’s understanding year recommended period for external
and identification of risk and control issues, review, as specified in the IIA Standards.
in addition to the adherence to audit
methodology and procedures”. This is making [H] Relationships with regulators
explicit a requirement for an element of
quality assessment that is overlooked or The guidance reinforces the requirement for
not performed by some functions. open, honest and constructive communication
with the Regulators. In response to consultation
The IIA Standards mandate an independent, feedback, the Committee did not see a
external review of the Internal Audit function requirement to expand on the expectations
at least every five years. The Committee laid out in the Statements of Principle and
agreed that an external review of the Code of Practice for Approved Persons,
quality and effectiveness of Internal Audit and the UK Corporate Governance Code,
is important in providing the Chief Internal in relation to the interaction between the
Auditor and the Audit Committee with an Chief Internal Auditor and the Regulators.
assessment of the strength of the function.

Some consultation responses suggested that


the current five year limit for an external Wider considerations
review of Internal Audit should be reduced,
particularly in periods of organisational or The Committee received numerous responses
industry change. The Committee did not feel requesting further guidance on the practical
that recommending a reduced maximum application of the recommendations. The
period for this external review was appropriate. Committee intends the guidance to establish
It should be noted that the IIA Standards principles rather than detailed rules and feels
mandate this period as a maximum, and that the guidance itself is sufficiently clear
many organisations choose to commission for Internal Audit to be able to apply those
external assessments on a more frequent principles. Nevertheless the Committee
basis. The quality assessment requirements recognises that firms would benefit from
of audit functions can vary depending on a additional guidance and instruction from the
range of factors, including the complexity Chartered Institute of Internal Auditors as industry
or degree of change in the organisation, good practice becomes better established.
emerging risks in the industry or organisation
and stability or maturity of the audit function. The Committee has also recommended that the
Chartered Institute of Internal Auditors revisits
The Committee felt that to recommend a the guidance document after a period of two
timescale assumes that a periodic, holistic to three years, to provide the opportunity to
review of the function is the most appropriate refine the recommendations contained herein.
approach to the external assessment. Some This could be to reflect evolving practice
functions are considering an ongoing and implementation expectations, and to
review by an external party, focusing the correct any unintended consequences that
quality assessment on high risk areas of arise in the application of the guidance.
the audit function, such as emerging risks,
new methodology practices or industry hot Roger Marshall, in his role as a Director at
topics. None of the above should be taken the Financial Reporting Council, has made a
as acceptance of a less rigorous approach recommendation to the Financial Reporting
14 to quality assessment than that specified in Council in his covering letter, pertaining to wider
the IIA Standards. The Committee does not Corporate Governance guidance for Boards and
support the period between the performance Executive Management in relation to Internal Audit.
of an external review exceeding the five
Committee Membership

Committee members

Roger Marshall (Chair) Audit Committee Chair, Old Mutual; Director,


Financial Reporting Council (FRC)

Paul Boyle Chief Audit Officer, Aviva (formerly Chief


Executive Financial Reporting Council)

Prof. Andrew Chambers Professor of Internal Auditing, now emeritus, Cass


Business School; advisor to the House of Lords inquiry
into audit market concentration (2010-12)

Paul Lawrence Group General Manager, Internal Audit, HSBC

Brendan Nelson Audit Committee Chair, BP; Audit Committee chair, RBS

Martyn Scrivens Group Chief Auditor, Credit Suisse

Carol Sergeant Non-Executive Director, multiple organisations; Former


Chief Risk Officer, Lloyds Banking Group; Former
Managing Director of the Regulatory Process and Risks
Directorate at the Financial Services Authority

Chris Spedding (Secretary) Senior Manager, Ernst & Young

Observers to the Committee

Stephen Brown Head of Internal Audit, Bank of England

Rosemary Hilary Head of Internal Audit, Financial Conduct Authority

Chris Hodge Director of Corporate Governance, Financial Reporting Council

Veenu Mittal Senior Associate, Accounting and Audit policy,


Prudential Regulation Authority

Ian Peters Chief Executive, Chartered Institute of Internal Auditors

Kevin Simons Partner, Ernst & Young

Pat Sucher Manager, Accounting and Audit policy, 15


Prudential Regulation Authority
About the Chartered Institute of Internal Auditors (IIA)
The IIA is the only body focused exclusively on internal auditing and we are passionate about
supporting, promoting and training the professionals who work in it. We have been leading
the profession of internal auditing for over 65 years. Our International Standards and Code of
Ethics unite a global community of over 180, 000 internal auditors in 190 countries.
We are committed to enhancing the recognition and professionalism
of internal audit in the UK and Ireland, through:

• Dynamic leadership of the profession which maximises our members’ reputation and influence
individually and collectively.
• Technical excellence through our International Standards and Code of Ethics.
• All members across the globe work to the same International Standards and Code of Ethics.
• We have 8,000 members in all sectors in the UK and Ireland.
• High quality support to our members throughout their careers, which enables
them to continually develop their professional knowledge, skills and experience
and provides other services of value to members in their roles.

These things, enacted through our staff, members and volunteers and
with the support of our suppliers and partners, make a significant
and unique contribution to the success of all organisations.

www.iia.org.uk
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
tel 020 7498 0101 fax 020 7978 2492 email info@iia.org.uk
©July 2013. Information can be made available in other formats.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy