A new code of practice has been made public, setting out the key principles for internal audit departments. It highlights their responsibility to help boards protect the assets, corporate reputation and sustainability of an organisation.

Endorsed by key regulators and professional bodies, the document for the first time pulls together a unified code for bodies across financial services, and the private and third sectors.

Anne Kiem, chief executive of the Chartered Institute of Internal Auditors, the body responsible for leading work on the code, says the measures will help “restore trust” in the broader audit and corporate governance environment.

“As organisations confront an increasingly uncertain and dynamic risk landscape, the new Internal Audit Code of Practice offers a crucial framework that will enhance the role of internal audit in advising and providing assurance to boards and senior management over their organisations’ risks, controls and corporate governance processes,” she says.

A slew of major bodies offered their support for the code, including the Financial Reporting Council (FRC), the UK’s key governance and financial reporting watchdog.

‘Significant step forward’

Mark Babington, executive director of the FRC, says: “This code is a significant step forward in improving independent assurance over the way businesses manage risk and assess the effectiveness of their internal controls to support reporting against the corporate governance code.”

The project committee to develop a new code was headed by Sally Clark, audit committee chair at Citigroup Global Markets. She underlines the code’s role:

“This code is a pivotal advancement of the internal audit profession and corporate governance in the UK and Ireland.

“Now, more than ever, internal auditors must be bold and proactive if they are to add value to the organisations that they work within.”

Internal controls have been on rule makers’ agendas for some time. In reviews of the audit process following the collapse of firms such as Carillion and BHS, the strengthening of internal controls emerged as a key issue.

When, in January, the UK’s corporate governance code was updated, the new guidance gave boards a responsibility to monitor and report on the effectiveness of their internal controls.

This was, however, controversial. Many had argued for internal control measures to be included in legislation and made a legal obligation. The previous government’s decision had been to include them in the governance code under the “comply or explain” rubric.

There was further disappointment when the government planned new reporting requirements that would have seen companies issue risks and resilience reports, assurance that would have heavily involved internal auditors.

Call for independence

Under nine headings, the new code of practice includes 37 principles covering issues such as the scope of work, and relationships with other key players, for example, audit committees and external auditors.

It also includes bold statements on internal audit’s independence. Internal audit, the code, says, “should have the right to attend and observe all or part of executive committee meetings and any other key management decision-making fora”. Internal audit should also have “unrestricted and timely access to key management information and a right of access to all of the organisation’s data, records, information, personnel and physical properties necessary to discharge its responsibilities.”

There is also an emphasis on internal audit assessing “whether appropriate activities have been established to embed the organisation’s purpose”.

Andy Kemp, chair of the Audit Committee Chairs’ Independent Forum, says: “The new internal audit code of practice empowers audit committee chairs to elevate internal audit functions, which are increasingly vital in navigating today’s complex controls and risk landscape.”