This September marked a significant milestone for advocates of good corporate governance with the release of the Chartered Institute of Internal Auditors’ long-awaited Internal Audit Code of Practice.
The new code provides a comprehensive roadmap and set of guiding principles designed to enhance the effectiveness of internal audit functions. It targets not only internal audit professionals but, just as importantly, members of boards, audit committees and senior management.
By raising internal audit standards across the UK and Ireland, the code both strengthens corporate governance and risk management, and contributes to economic stability by helping boards identify, manage and mitigate risks more effectively.
Our journey began more than a decade ago with the release of the Financial Services Internal Audit Code of Practice, developed in response to the global financial crisis. At the time, financial services regulators called on the internal audit profession to raise its game. The code was widely regarded as a success, enhancing the scope, skills, and status of internal audit functions across the financial services sector. Building on that success, we published a similar code for the non-financial private and third sectors in 2020.
However, both codes needed updating to reflect the new global internal audit standards that come into effect in January 2025, and to keep pace with industry practices and regulatory changes, such as the revised UK Corporate Governance Code. This prompted the development of a unified code, which brings together the financial services, private and third sectors under one comprehensive framework.
An independent committee—comprising experienced audit committee chairs and senior internal audit executives from a range of sectors and backgrounds—led the process of reviewing and updating the code. A number of regulators, including the Bank of England, Bank of Ireland, Financial Conduct Authority, and Financial Reporting Council, were also closely involved, attending the committee as observers.
Trust in corporate governance
The new code is a crucial tool for restoring trust in the broader audit and corporate governance ecosystem. So far, audit reform efforts have primarily focused on statutory (external) audit, but we believe a robust internal audit profession, guided by our new code, plays an equally critical role in improving governance.
Many corporate collapses such as BHS, Bulb, Carillion, Patisserie Valerie, P&O Ferries, Thomas Cook, Wilko, and Wirecard – highlight that failures weren’t solely due to weaknesses in financial accounting or statutory audits but also reflected weak or deficient internal control and risk management frameworks.
This is where a strong and effective internal audit function is indispensable: providing independent assurance to the board that risks have been identified, managed, and mitigated, and assuring the effectiveness of the controls in place. In the cases of BHS, Bulb, and Patisserie Valerie, it’s notable that no internal audit function existed. Our new code is therefore not only a valuable resource for organisations looking to improve existing internal audit functions but also for those establishing one for the first time.
Coordinated codes
A key advantage of the new code is its alignment with the revised UK Corporate Governance Code. Notably, in our code, there is a new principle that requires audit committee disclosures in the annual report to summarise the purpose and mandate of the internal audit function, its main activities, and its effectiveness.
Too often, these disclosures in publicly listed companies’ annual reports offer little or no meaningful narrative about internal audit. Given the vital role internal audit plays in helping boards manage risks, this is an area where improvement is overdue. We want to see meaningful, substantive disclosures rather than generic, boilerplate statements that merely seek to tick a box.
The new code also dovetails with the UK Corporate Governance Code’s requirement for a board internal controls declaration, clarifying that internal audit’s work assuring the effectiveness of the governance, risk, and control frameworks can directly support this declaration.
New and emerging risks
One of the most exciting, and arguably revolutionary, developments in the new code relates to the scope and priorities of internal audit. Internal audit functions across all sectors—not just financial services—are now required to include capital and liquidity risks in their scope, along with risks arising from poor customer treatment.
These risks are highly relevant across industries, especially considering the numerous corporate collapses outside the financial services sector—where capital and liquidity risks were neglected—as well as the public utilities across energy, water and telecoms sectors that have faced scrutiny for mistreating customers.
For the first time, the new code explicitly recommends that internal audit should not only examine risk and control cultures but also the broader corporate culture and associated behaviours. Many recent high-profile collapses have been characterised by weak corporate cultures, inappropriate behaviours, and a poor ‘tone from the top’.
This change aligns with the revised UK Corporate Governance Code, which clearly states that the board is responsible for assessing, monitoring, and embedding the corporate culture. Internal audit can play a vital role in supporting this by providing independent assessments of corporate culture.
Excitingly, the new code also addresses several emerging risk areas to which internal audit functions must now pay close attention. Organisations are facing increased exposure to material risks in areas such as environmental sustainability, climate change, social issues, financial and economic crime, and technology risks, including those surrounding AI and cybersecurity. By incorporating these areas into the scope of internal audit, the new code ensures that organisations are better equipped to navigate today’s complex and interconnected risk landscape.
Empowering boards
The new Internal Audit Code of Practice encourages internal audit functions to strive for excellence, while also empowering boards, audit committees, and CEOs to engage more deeply with their internal audit teams. In a world of heightened uncertainty, volatility and risk, now is the time for boards to maximise the value that a strong and effective internal audit function can provide.
By adopting the principles of the new code, organisations can unlock the full potential of internal audit, enabling it to play a crucial role in good governance and long-term stability.
We urge boards and audit committees to collaborate with their internal audit teams to embed the principles of this new code. Together, they can strengthen their organisation’s governance frameworks, improve risk management and internal controls, and ultimately contribute to restoring trust in corporate governance.
Gavin Hayes is head of policy and public affairs at the Chartered Institute of Internal Auditors and served as a member of the secretariat to the Independent Internal Audit Code of Practice Review Committee.