Internal Audit Functions continue to play an integral role in driving effective governance and risk management initiatives. The recent publication of the updated “Internal Audit Financial Services Code” by the Chartered Institute of Internal Auditors provides updated good practice recommendations for the consideration of Boards, Senior Management and the Chief Audit Executive of financial services organisations to foster effective and robust IA practices. In this article, Patrick Farrell, Claire Heeley and Neil Taaffe of our Risk Consulting practice set out a summary of these recommendations and considerations to support their implementation.
In July 2013, the Chartered Institute of Internal Auditors (‘the IIA’) issued the ‘Internal Auditor’s Financial Services Code’ (‘the IA FS Code’) to provide principles based guidance to financial services organisations to enable them to increase the effectiveness of the Internal Audit (‘IA’) Function.
In January 2021, the updated (and renamed) ‘Internal Audit Financial Services Code’ was published in order to harmonise the IA FS Code with the previously published ‘Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors’.
The recommendations articulated within the IA FS Code have not been materially altered but do provide updated good practice recommendations for the consideration of Boards, Senior Management and the Chief Audit Executive (‘CAE’) of financial services organisations to foster effective and robust IA practices.
The new ways of working for IA functions during COVID-19 has brought great change.
Only time will tell what the new reality will bring and its impact on the work of Internal Audit. The impact will range from a complete change in the operational risk profile of organisations, to the ability of Internal Audit functions to be impactful and build relationships in a remote working environment. CAE’s need to re-think all aspects of the approach to Internal Audit to adapt to this new reality. Maintaining a focus on being compliant with the IIA standards and this IA FS Code is required, but the approach and methods will need to adapt.
The IA FS Code provides guidance to CAE’s, Executive and Non-Executive Directors (specifically members of Audit and Risk Committees) of entities within the financial services sector.
The IA FS Code should be applied in conjunction with the existing International Professional Practices Framework (‘IPPF’) published by the Global Institute of Internal Auditors, which includes the International Standards for the Professional Practice of Internal Auditing (‘the IIA Standards’).
The IA FS Code is written in the context of companies operating within the UK and Ireland regulated financial services sector. It is expected that the procedural requirements of the IA FS Code are applied proportionately.
There are several recommendations articulated in the IA FS Code, relating to the areas and activities of the IA Function outlined below.
The IA Function should be positioned to support the Board and Senior Management in safeguarding the assets of the organisation through challenging management to strengthen governance, risk and controls whilst also ensuring management and the Risk Function employ robust risk management practices. This is achieved through reviewing the design and operating effectiveness of internal controls, in particular by assessing; (i) the risk identification, management and reporting processes performed by management; (ii) how effectively the Risk Function monitors risk; and (iii) the activities and actions performed to mitigate against and manage these risks
The IA Function is responsible for adopting a risk-based approach to develop an IA plan that provides coverage of key risk areas within the Audit Universe and must be flexible to allow IA to prioritise coverage of emerging risks and unplanned events. The IA FS Code outlines areas to be included in IA Plans including (but not limited to); (i) internal governance structures and processes; (ii) information presented to the Board/Senior Management; (iii) risk appetite processes; (iv) risk and control culture; (v) key corporate events; (vi) conduct risk management; and, (vii) capital and liquidity risks. The IA plan is typically subject to approval by the Audit Committee (‘AC’) (or equivalent).
IA Function representatives such as the CAE should attend and report to appropriate governance fora (including the Board, its Risk Committee, Audit Committee and other Sub- Committees as appropriate). Reports by IA should include (i) details of control weaknesses and the related root cause; (ii) thematic issues identified across the organisation; (iii) an independent view of risk management reporting by management; (iv) a post-mortem / lessons learned analysis following any adverse events; and, (v) at least annually provide an assessment of the overall effectiveness of the governance, risk and control framework of the organisation and adherence to the risk appetite framework.
The IA Function must be independent from first and second line functions including Finance, Risk, and Compliance as IA’s scope/remit routinely includes an assessment of the adequacy and effectiveness of these functional areas.
The IA Function must exercise its judgement in determining the extent to which it is appropriate to consider relevant work performed by the Finance, Risk, and Compliance functions when performing risk assessment procedures or determining the level of audit testing to be performed over activities under review.
IA resources should have the necessary skills and expertise (including subject matter expertise) aligned to the scale and nature of operations of the organisation. The CAE or equivalent will ensure resources meet this criteria through training and recruitment activities, co-sourcing with third parties where required and rotating staff from relevant areas of the business. The CAE will report to the AC with a regular assessment of staff capability and whether the budget is sufficient to engage/recruit resources with the skills required. The AC is responsible for approving the IA Function’s budget and discloses annually whether it is satisfied that the resourcing of the IA Function is appropriate.
IA should have the right to attend and observe all or part of executive committee meetings and other key management decision making fora. This enables IA to understand the business strategy, key issues, emerging risks and decisions, and to adjust IA priorities where appropriate. The primary reporting line for the CAE should be to the Chair of the AC. The CAE is responsible for the oversight of subsidiary IA functions, in order to ensure the CAE’s responsibilities can be discharged at a Group level. The CAE is accountable for the development, execution and reporting of the Group IA Plan, and has the authority to request information to better understand local inputs to the IA Plan (e.g. risk assessments) and outputs (e.g. audit reports / findings).
The Board or AC are responsible for evaluating the performance of the IA Function regularly and must define success factors for the Function. The IA Function must maintain policies, procedures and performance effectiveness measures which are regularly reviewed. IA Functions should develop a Quality Assessment & Improvement Programme (‘QAIP’) to monitor the quality of delivery. The scope of (risk-based) QAIP reviews should include IA’s understanding and identification of risk and control issues, and adherence to methodology. The scope of QAIP should also include the work performed by third parties (e.g. co-source services). External Quality Assessments (‘EQA’) should be sought at appropriate intervals. Results of QAIP/EQA assessments should be presented to the AC at least annually.
The CAE and other senior managers within the IA Function shall foster open, constructive and co-operative relationships with Regulators. If Regulators can rely on IA work, this often reduces the regulatory burden on the organisation. Occasionally, Regulators may ask IA to carry out specific work rather than commission a third party. This only occurs where there are high levels of trust and credibility between the IA Function, the Board and Senior Management of the organisation and the Regulatory authority mandating any review.
The CAE and the Audit Partner responsible for external audit should ensure there is appropriate regular communication and a propensity for information sharing. Whilst it is crucial to preserve their independence and objectivity, Internal and External Audit should maintain a close, constructive relationship with the External Auditor, to ensure their work is coordinated and there is an efficient use of resources.
KPMG provides a range of supports and solutions to IA functions across the financial services sector ranging from fully outsourced and co-source service provision to specific advisory engagements. Examples of how our team of experts can assist include: