Effective Internal

Non Executive Directors (NEDs)

Audit in the Financial
and the Management of Risk
A survey of heads of internal audit

Services Sector
Recommendations from the Committee
on Internal Audit Guidance for
Financial Services
July 2013
 Contents

Foreword from the Chief Executive 3

Message from the Chairman 4
Introduction and context 5
Recommendations of the Committee (The Guidance) 6
Basis for conclusions 11
Committee membership 15

2
Foreword from the Chief Executive
The guidance contained within
this document represents the final
recommendations of the Committee on
Internal Audit Guidance for Financial Services,
which the Institute has accepted in full and
now commends to the Boards and Internal
Audit practitioners of all organisations
operating in the UK financial services sector.
Chaired by Roger Marshall, the Audit Committee
Chair of a FTSE 100 insurance group and a
director of the accountancy standards setter,
the Financial Reporting Council (FRC), our
Committee was an independent, industry led
body which the Institute created specifically for
the purpose of developing this guidance. The
group was designed to embrace Non-Executives,
Executives, Internal Audit practitioners and the
regulatory and standard setters’ perspectives.
Together they achieved a high level of debate
and engagement across the financial services
sector on the issues of Internal Audit’s role in
supporting the management of risk. The result
is the set of thorough, thoughtful and scalable
recommendations contained within these pages.
This new guidance is important because
conclusions drawn on the causes of the
financial crisis and more recent governance, risk
management and internal control failures within
the financial services sector – notably the June
2013 report of the Parliamentary Committee on
Banking Standards Commission – emphasise that
a more influential internal audit function can
play a more significant role in supporting Non-
Executive and Executive Management of financial
services organisations to manage risks better.
So I hope that Boards and particularly Audit
Committees will embrace the spirit and principles
of this new guidance, so that the Internal Audit
profession may deliver its full value to them.
Finally, I should like to thank the members of the
Committee for their diligence and commitment
to the task of producing their recommendations.
Despite a challenging delivery timetable, they
have promulgated a comprehensive debate about
the role of Internal Audit in financial services
organisations and achieved a high level of
engagement on the issues, across the industry.
Dr Ian Peters
Chief Executive
3
 Message from the Chairman
We have pleasure in issuing our final
recommendations aimed at fostering
effective internal audit in the financial
services sector.
This follows a lengthy consultation exercise
which started in September 2012. We issued
our draft proposals on 11 February 2013 and
have been struck not only by the number of
responses but also by the thought and care
which have gone into preparing them. The
Committee has considered the responses in
detail and our final recommendations have
been modified as a result. In some cases we
realised that the principle was supported but
that the wording was unclear but in other cases
more significant changes have been made.
We have included a basis for conclusions section
in this document, which includes the main themes
of the responses and how we dealt with them.
A key feature of the responses was the need
for proportionality in the way in which
the recommendations are implemented.
4
The Committee agrees and has included
an overall paragraph in the Introduction
and Context section making this clear.
Whilst we have addressed our recommendations
to the Chartered Institute of Internal
Auditors we appreciate that many of them
can only be implemented by Boards, Audit
Committees and Executive Management.
We hope that some of the recommendations will
be useful outside the financial services sector. We
have written separately to the Financial Reporting
Council recommending that they consider whether
additional guidance is needed on what should be
expected from a good Internal Audit function.
Finally I would like to extend my thanks
to the Members and Observers of the
Committee and to our secretary, Chris
Spedding, for all their diligent work.
Roger Marshall
Chairman of the Committee
Introduction and context
The recommendations included in the
following guidance are made by the
Committee to the Chartered Institute of Internal
Auditors in the UK with the aim of enhancing
the overall effectiveness of Internal Audit,
and its impact within the firms operating in
the financial services sector in the UK. The
guidance can be regarded as an additional
benchmark against which firms can measure
their Internal Audit function. The intended
audience for this guidance includes Chief
Internal Auditors, Executive and Non-Executive
Directors and the Regulatory bodies.
The guidance should be applied in conjunction
with the existing Institute of Internal Auditors
International Professional Practices Framework
(IPPF), which includes the International
Standards for the Professional Practice of
Internal Auditing (the IIA Standards). The
recommendations contained in this guidance
aim to build on the IIA Standards, providing
financial services context to the existing IIA
Standards, and to increase the effectiveness
and impact of internal audit in high risk areas
of financial services organisations by clarifying
expectations and requirements of internal audit.
The guidance aims to establish principles rather
than detailed rules. Nevertheless it is written
in the context of a reasonable sized company
operating within the UK regulated financial
services sector. Smaller companies and branches
of non-UK headquartered organisations in
particular may need to make modifications to
the detail of the principles whilst complying
with their spirit. The guidance is assumed to
be interpreted and implemented in a manner
and to the extent that is appropriate to a firm’s
size, risk profile, internal organisation and the
nature, scope and complexity of its activities.
Wherever possible, the guidance has attempted
to use layman’s language to define terms
open to ambiguity or differing application,
e.g. “assurance”, “three lines of defence”
and “reporting line”. To a great extent, the
guidance has also avoided recommendations
on the application and implementation of
the principles included. Given organisational
and industry specific factors, and a
variety of potential audit approaches, the
Committee did not feel it was appropriate
to mandate best practice of application.
5
 Recommendations of the Committee
(The Guidance)
[A] Role and mandate of
Internal Audit
1. The primary role of Internal Audit should
be to help the Board and Executive
Management to protect the assets, reputation
and sustainability of the organisation.
It does this by assessing whether all significant
risks are identified and appropriately reported
by management and the Risk function to
the Board and Executive Management;
assessing whether they are adequately
controlled; and by challenging Executive
Management to improve the effectiveness of
governance, risk management and internal
controls. The role of Internal Audit should
be articulated in an Internal Audit Charter,
which should be publicly available.
2. The Board, its Committees and Executive
Management should set the right “tone at the
top” to ensure support for, and acceptance of,
Internal Audit at all levels of the organisation.
[B] Scope and priorities
of Internal Audit
3. Internal Audit’s scope should be unrestricted
There should be no aspect of the organisation
which Internal Audit should be restricted from
looking at as it delivers on its mandate. Whilst
it is not the role of Internal Audit to second
guess the decisions made by the Board, its
scope should include information presented
to the Board as discussed further below.
4. Risk assessments and prioritisation
of Internal Audit work
In setting its scope, Internal Audit should take
into account business strategy and should
form an independent view of whether the key
risks to the organisation have been identified,
6 including emerging and systemic risks, and
assess how effectively these risks are being
managed. Internal audit’s independent view
should be informed, but not determined,
by the views of management or the Risk
function. In setting its priorities and deciding
where to carry out more detailed work,
Internal Audit should focus on the areas
where it considers risk to be higher.
Internal Audit should make a risk-based
decision as to which areas within its scope
should be included in the audit plan – it
does not necessarily have to cover all of
the potential scope areas every year.
5. Internal Audit planning
Internal Audit plans, and material changes
to Internal Audit plans, should be approved
by the Audit Committee. They should
have the flexibility to deal with unplanned
events to allow Internal Audit to prioritise
emerging risks. Changes to the audit plan
should be considered in light of Internal
Audit’s ongoing assessment of risk.
6. Scope of Internal Audit
Internal Audit should include within
its scope the following areas:
a. Internal governance
Internal Audit should include
within its scope the design and
operating effectiveness of the
internal governance structures and
processes of the organisation.
b. The information presented to the Board
and Executive Management for strategic
and operational decision making
Internal Audit should include within
its scope the processes and controls
supporting strategic and operational
 decision making. It should assess
whether the information presented to
the Board and Executive Management
fairly represents the benefits, risks and
assumptions associated with the strategy
and corresponding business model.
c. The setting of, and adherence
to, risk appetite
Internal Audit is not responsible for setting
the risk appetite but should assess whether
the risk appetite has been established and
reviewed through the active involvement
of the Board and Executive Management.
It should assess whether risk appetite is
embedded within the activities, limits
and reporting of the organisation.
d. The risk and control culture
of the organisation
Internal Audit should include within its
scope the risk and control culture of
the organisation. This should include
assessing whether the processes (e.g.
appraisal and remuneration), actions (e.g.
decision making) and “tone at the top”
are in line with the values, ethics, risk
appetite and policies of the organisation.
Internal Audit should consider the
attitude and assess the approach taken
by all levels of management to risk
management and internal control.
This should include Management’s
actions in addressing known control
deficiencies as well as Management’s
regular assessment of controls.
e. Risks of poor customer treatment, giving
rise to conduct or reputational risk
Internal Audit should evaluate whether
the organisation is acting with integrity
in its dealings with customers and in
its interaction with relevant markets.
Internal Audit should evaluate whether
Business and Risk Management are
adequately designing and controlling
products, services and supporting
processes in line with customer
interests and conduct regulation.
f. Capital and liquidity risks
Internal Audit should include within
its scope the management of the
organisation’s capital and liquidity risks.
g. Key corporate events
Examples of key corporate events could
include significant business process
changes, introduction of new products
and services, outsourcing decisions
and acquisitions/divestments. Internal
Audit should decide if these events
are sufficiently high risk to warrant
involvement on a real time basis. In
doing so, Internal Audit will evaluate
whether the key risks are being adequately
addressed (including by other forms of
assurance, e.g. third party due diligence)
and reported. Internal Audit should
also assess whether the information
being used in such key decision making
is fair, balanced and reasonable, and
whether the related procedures and
controls have been followed.
h. Outcomes of processes
Internal Audit should evaluate the design
and operating effectiveness of the
organisation’s policies and processes.
As part of this evaluation, Internal Audit
should consider whether the outcomes
achieved by the implementation of
these policies and processes are in
line with the objectives, risk appetite
and values of the organisation.
7
 [C] Reporting results
7. Internal Audit should be present at, and
issue reports to the appropriate governing
bodies, including the Board Audit Committee,
the Board Risk Committee and any other
Board Committees as appropriate. The
nature of the reports will depend on the
remits of the respective governing bodies.
8. Internal Audit’s reporting to the Board Audit
and Risk Committees should include:
• a focus on significant control
weaknesses and breakdowns together
with a robust root-cause analysis;
• any thematic issues identified
across the organisation;
• an independent view of Management’s
reporting on the risk management
of the organisation, including a view
on Management’s remediation plans
(which might include restricting further
business until improvements have been
implemented) highlighting areas where
there are significant delays; and
• at least annually, an assessment of the
overall effectiveness of the governance,
and risk and control framework of the
organisation, together with an analysis
of themes and trends emerging from
Internal Audit work and their impact
on the organisation’s risk profile.
[D] Interaction with Risk
Management, Compliance
and Finance
9. Effective Risk Management, Compliance
and Finance functions are an essential part
of an organisation’s corporate governance
structure. Internal Audit should be
independent of these functions and be
neither responsible for, nor part of, them.
8 10. Internal Audit should include within its
scope an assessment of the adequacy and
effectiveness of the Risk Management,
Compliance and Finance functions. In
evaluating the effectiveness of internal
controls and risk management processes, in
no circumstances should Internal Audit rely
exclusively on the work of Risk Management,
Compliance or Finance. Internal Audit should
always examine, for itself, an appropriate
sample of the activities under review.
11. Internal Audit should exercise informed
judgement as to when to place reliance on
the work of Risk Management, Compliance
or Finance. To the extent that Internal
Audit places reliance on the work of Risk
Management, Compliance or Finance, that
should only be after a thorough evaluation
of the effectiveness of that function in
relation to the area under review.
[E] Independence and authority
of Internal Audit
12. The Chief Internal Auditor should be at a
senior enough level within the organisation
(normally expected to be at Executive
Committee or equivalent) to give him
or her the appropriate standing, access
and authority to challenge the Executive.
Subsidiary, branch and divisional Heads of
Internal Audit should also be of a seniority
comparable to the senior management whose
activities they are responsible for auditing.
13. Internal Audit should have the right to
attend and observe all or part of Executive
Committee meetings and any other key
management decision making fora.
14. Internal Audit should have sufficient
and timely access to key management
information and a right of access to all
of the organisation’s records, necessary
to discharge its responsibilities.
In organisations in which the Internal
Audit function is outsourced, the Chair
of the Audit Committee should identify
an appropriate individual responsible for
 ensuring that the Chief Internal Auditor
has sufficient and timely access to key
management information and decisions.
15. The primary reporting line for the Chief
Internal Auditor should be to the Chairman
of the Audit Committee. In exceptional
circumstances, the Board may wish for Internal
Audit to report directly to the Chairman of
the Board, or delegate responsibility for the
reporting line to the Chairman of the Board
Risk Committee, provided the Chairman
of the Board Risk Committee and all the
other Committee members are independent
Non-Executive Directors. The reporting
line must avoid any impairment to Internal
Audit’s independence and objectivity.
16. The Audit Committee should be responsible
for appointing the Chief Internal Auditor
and removing him/her from post.
17. The Chairman of the Audit Committee
should be accountable for setting the
objectives of the Chief Internal Auditor
and appraising his/her performance. It
would be expected that the objectives and
appraisal would take into account the views
of the Chief Executive. This appraisal should
consider the independence, objectivity
and tenure of the Chief Internal Auditor.
18. The Chairman of the Audit Committee
should be responsible for recommending
the remuneration of the Chief Internal
Auditor to the Remuneration Committee.
The remuneration of the Chief Internal
Auditor and Internal Audit staff should be
structured in a manner such that it avoids
conflicts of interest, does not impair their
independence and objectivity and should
not be directly or exclusively linked to the
short term performance of the organisation.
19. Subsidiary, branch and divisional Heads
of Internal Audit should report primarily
to the Group Chief Internal Auditor, while
recognising local legislation or regulation as
appropriate. This includes the responsibility
for setting budgets and remuneration,
conducting appraisals and reviewing
the audit plan. The Group Chief Internal
Auditor should consider the independence,
objectivity and tenure of the subsidiary,
branch or divisional Heads of Internal
Audit when performing their appraisals.
20. If Internal Audit has a secondary Executive
reporting line, this should be to the CEO in
order to preserve independence from any
particular business area or function and
to establish the standing of Internal Audit
alongside the Executive Committee members.
[F] Resources
21. The Chief Internal Auditor should ensure
that the audit team has the skills and
experience commensurate with the
risks of the organisation. This may entail
training, recruitment, secondment from
other parts of the organisation or co-
sourcing with external third parties.
22. The Chief Internal Auditor should provide
the Audit Committee with a regular
assessment of the skills required to conduct
the work needed, and whether the Internal
Audit budget is sufficient to allow the
function to recruit and retain staff with
the expertise and experience necessary
to provide effective challenge throughout
the organisation and to the Executive.
23. The Audit Committee should be responsible
for approving the Internal Audit budget and,
as part of the Board’s overall governance
responsibility, should disclose in the annual
report whether it is satisfied that Internal
Audit has the appropriate resources.
9
 [G] Quality assessment
24. The Board or the Audit Committee is
responsible for evaluating the performance of
the Internal Audit function on a regular basis.
In doing so it will need to identify appropriate
criteria for defining the success of Internal
Audit. Delivery of the audit plan should not
be the sole criterion in this evaluation.
25. Internal Audit should maintain an up-to-
date set of policies and procedures, and
performance and effectiveness measures
for the Internal Audit function. Internal
Audit should continuously improve these
in light of industry developments.
26. Internal Audit functions of sufficient
size should develop a quality assurance
capability, with the work performed by
individuals who are independent of the
delivery of the audit. The individuals
performing the assessments should have the
standing and experience to meaningfully
challenge Internal Audit performance and
to ensure that Internal Audit judgements
and opinions are adequately evidenced.
The scope of the quality assurance
review should include Internal Audit’s
understanding and identification of risk
and control issues, in addition to the
adherence to audit methodology and
procedures. This may require the use of
resource from external parties. The quality
assurance work should be risk-based to
cover the higher risks of the organisation
and of the audit process. The results of these
assessments should be presented directly
to the Audit Committee at least annually.
27. Where the Internal Audit function is
outsourced to an external provider, Internal
Audit’s work should be subject to the same
quality assurance work as the in-house
functions. The results of this quality assurance
10 work should be presented to the Audit
Committee at least annually for review.
28. In addition, the Audit Committee should
obtain an independent and objective external
assessment at appropriate intervals. This
could take the form of periodic reviews of
elements of the function, or a single review
of the overall function. The conformity of
Internal Audit with the recommendations
included in this guidance should be
explicitly included in this evaluation. The
Chairman of the Audit Committee should
oversee and approve the appointment
process for the independent assessor.
[H] Relationships with regulators
29. Nature and purpose of the relationship
The Chief Internal Auditor, and other senior
managers within Internal Audit, should have
an open, constructive and co-operative
relationship with regulators which supports
sharing of information relevant to carrying
out their respective responsibilities.
Wider considerations
30. The Chartered Institute of Internal
Auditors should consider developing
additional guidance on the application and
implementation of the recommendations
detailed in this guidance. In particular, less
well established areas for Internal Audit
activity, such as auditing culture and outcomes
would benefit from additional guidance.
31. This Committee recommends that the
Chartered Institute of Internal Auditors
should review this guidance after a period of
two to three years, and consider amending
or updating the guidance as required.
Basis for conclusions
On 11 February 2013, the Committee on
Internal Audit Guidance for Financial Services
issued a consultation paper containing a set of
draft recommendations to the Chartered Institute
of Internal Auditors. There was a two month
consultation period, ending on 12 April 2013.
The Committee received a large number of
responses which included the views of Chief
Internal Auditors, Non-Executive Directors,
Executives and Risk Managers. The responses
came from organisations across the financial
services sector, including banks, insurers,
building societies, asset managers and
professional services firms, and from a range of
Trade Associations and professional bodies.
In total, over 100 written responses were received,
the majority of which (unless otherwise requested
by the respondent) have been made available
for public review via the Chartered Institute
of Internal Auditors website (www.iia.org.uk/
policy/policy-initiatives/financial-services).
In addition to these written responses, the
Committee hosted or attended numerous
consultation meetings and events to discuss the
consultation paper with Internal Audit practitioners,
Non-Executive Directors and Executive
Management. The consultation responses,
and feedback from these sessions, have also
contributed to the finalisation of the guidance.
The majority of responses received supported
the overall objective of the initiative and the
direction of the guidance, recognising that
improving the effectiveness and impact of internal
audit can help strengthen risk management,
governance and control in financial services.
Accordingly, the objectives and direction of
the guidance have not been substantively
changed as a result of the consultation.
The amendments to the draft recommendations
were made in response to feedback that
highlighted recommendations that were potentially
ambiguous or open to misinterpretation. The
sections below explain the more significant
issues raised by respondents to the consultation
paper, and contain a rationale for the Committee
recommendations included in the final guidance.
[A] Role and mandate of
Internal Audit
The Institute of Internal Auditors definition of
Internal Auditing is “an independent, objective
assurance and consulting activity designed to add
value and improve an organisation’s operations.
It helps an organisation accomplish its objectives
by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk
management, control and governance processes”.
The Committee supports this definition,
and emphasises the primary role of Internal
Audit is to protect the organisation. At the
discretion of the Audit Committee, Internal
Audit can perform other roles and activities
within the organisation, but not at the
expense of helping the Board and Executive
Management to protect the assets, reputation
and sustainability of the organisation.
In response to consultation feedback, this
section was amended to emphasise that
the responsibility for the protection of the
organisation lies with the Board and Executive
Management. Internal Audit should support
the Board and Executive Management
in discharging this responsibility. The
final guidance also brings to the fore the
importance of “tone at the top” supporting
Internal Audit in delivering this mandate.
Some consultation responses also questioned
the Committee’s recommendation that
the Internal Audit Charter should be made
publicly available. The rationale for this
recommendation is to provide clarity and
transparency to customers and investors
around the role and mandate of Internal
Audit. This is aligned to the expectation that
the Terms of Reference of the Committees
11
of the Board be made publicly available.
 [B] Scope and priorities
of Internal Audit
In response to consultation feedback,
the Committee have amended the
recommendations to clarify that Internal
Audit should not “second guess” the
decisions of the Board of Directors. The
Committee has recommended that the Audit
Committee should ultimately be responsible
for approving the activity of Internal Audit.
The IIA Standards require Internal Audit to
be free from interference in determining the
scope of their audit work. Whilst it is common
for Internal Audit Charters to mandate an
unrestricted scope, some Internal Audit
functions did not include in their audit universe
or risk assessments some of the processes,
risks and events that were central to the
problems faced by the financial services sector
in recent years. The Committee agrees with
the principle of an unrestricted scope, and, for
the avoidance of doubt, the guidance set out
areas of scope which were found to have been
restricted in some organisations, in practice
even if not in principle. This is not to say that
these areas should take priority over more
commonly audited / business-as-usual risk
areas, such as credit, operational or regulatory
risks. Feedback prompted the Committee
to stress that the guidance does not require
Internal Audit to cover every area contained
in the audit universe every year, although
they will be considered in Internal Audit’s risk
assessment and prioritisation of audit activity.
[C] Reporting results
The Committee separated the matters relating
to reporting lines between the provision of
direction to, and oversight of, Internal Audit
(for example on matters covered in section E
such as budget, approval of audit plans and
performance appraisal) and the reporting
12 of information by Internal Audit which is
covered in this section C. The Committee’s
recommendations around reporting results
were in response to inconsistencies across
the industry around the nature, quality
and frequency of formal reporting from
Internal Audit to Board Audit Committees
and especially Board Risk Committees.
[D] Interactionwith Risk
Management, Compliance
and Finance
The feedback received in the consultation
process requested additional explanation
around the relative roles of Internal Audit, Risk
Management, Compliance and Finance. The
Committee is not promoting a duplication of
role or purpose between Internal Audit and
Risk, Compliance or Finance. The Committee
has recommended that Internal Audit should
have an enterprise-wide remit and mandate,
and this must mean assessing the adequacy
and effectiveness of the Risk Management,
Compliance, and Finance functions.
The Committee agreed with the consultation
responses which argued that as well as Boards
receiving reports from Risk Management,
Compliance and Finance, an additional
perspective on risk management, governance
and control issues from Internal Audit is
healthy and to be encouraged. The objective
of this section of guidance was, in part,
to address a perceived misunderstanding
of “combined” or “integrated” assurance
models. Internal Audit must have an
enterprise-wide remit – “the assurance map”
cannot be carved up between the Internal
Audit, Risk and Compliance functions.
[E] Independence and authority
of Internal Audit
This section of the guidance addresses the
factors that can influence Internal Audit
work, and the conditions in which an Internal
Audit function can most effectively influence
the organisation in which it operates.
 The Committee recommends that Internal
Audit plays a stronger role in supporting
the Board of Directors to discharge its
responsibility to protect the organisation. The
Committee recognised that Internal Audit
must have sufficient standing and access
to Executive Management, to perform its
role. Whilst the guidance has recommended
that Internal Audit should have the right to
attend Executive Committee meetings and
any other key decision making fora, in line
with the IIA Standards on independence, the
Committee does not support Internal Audit
attending in a decision making capacity. This
attendance is intended to help Internal Audit
to gain an understanding of the business and
its strategy, and to provide its perspectives
on risk and control. The Committee stopped
short of mandating attendance at these
key management fora, with attendance
determined at the professional discretion of
the Chief Internal Auditor as they see fit to
discharge their responsibilities effectively.
The Committee received feedback relating
to the interpretation of the recommendation
relating to the remuneration of Chief Internal
Auditor. The guidance is consistent with
existing regulatory guidance around the
remuneration of personnel working in the
control functions of financial institutions.
The Committee did not deem it necessary to
prescribe additional guidance in this area.
The consultation paper recommended
that “in order to protect the objectivity and
independence of Internal Audit, the Audit
Committee should determine an appropriate
interval to consider the need to change the Chief
Internal Auditor and should have a similar policy
for divisional and subsidiary heads”. In response
to feedback received, this recommendation
has been amended to focus primarily on
the objectivity and independence of the
Chief Internal Auditor, rather than on the
need to change the Chief Internal Auditor.
In response to feedback received, the
Committee considered the application of
this guidance to financial services institutions
that have outsourced the internal audit
function to an external provider.
For smaller organisations this often proves
to be a more effective and practical way
of securing access to expertise, experience
and skills that they would not normally
be able to attract to an in-house function.
The guidance also explicitly recognises
the need for proportionality for different
types, and complexities of organisation.
[F] Resources
The Committee recognise that the guidance
may have significant implications for the
resource requirements of Internal Audit.
Increasing the expectations of Internal Audit,
particularly in areas such as independent
identification of key risks (including emerging
and systemic risks) challenging Executive
Management, exercising judgment over
technical areas such as risk appetite, governance
and culture, and assessing outcomes of
processes, requires a different, and potentially
increased mix of skills and experience.
The need for such skills and experience will be
driven by the risk profile of each organisation,
and should be informed by emerging risks in
the industry. It is important to emphasise that
the resources and skills within the function
should be determined by the risk assessment
and audit plan, and not vice versa – a criticism
of some audit functions was that their primary
focus was on the areas that they could audit, as
opposed to the areas that they should audit.
[G] Quality assessment
Recommendation 26 has built on the
IIA Standards to emphasise that Internal
Audit’s quality assessment activity must
13
 include “Internal Audit’s understanding
and identification of risk and control issues,
in addition to the adherence to audit
methodology and procedures”. This is making
explicit a requirement for an element of
quality assessment that is overlooked or
not performed by some functions.
The IIA Standards mandate an independent,
external review of the Internal Audit function
at least every five years. The Committee
agreed that an external review of the
quality and effectiveness of Internal Audit
is important in providing the Chief Internal
Auditor and the Audit Committee with an
assessment of the strength of the function.
Some consultation responses suggested that
the current five year limit for an external
review of Internal Audit should be reduced,
particularly in periods of organisational or
industry change. The Committee did not feel
that recommending a reduced maximum
period for this external review was appropriate.
It should be noted that the IIA Standards
mandate this period as a maximum, and
many organisations choose to commission
external assessments on a more frequent
basis. The quality assessment requirements
of audit functions can vary depending on a
range of factors, including the complexity
or degree of change in the organisation,
emerging risks in the industry or organisation
and stability or maturity of the audit function.
The Committee felt that to recommend a
timescale assumes that a periodic, holistic
review of the function is the most appropriate
approach to the external assessment. Some
functions are considering an ongoing
review by an external party, focusing the
quality assessment on high risk areas of
the audit function, such as emerging risks,
new methodology practices or industry hot
topics. None of the above should be taken
as acceptance of a less rigorous approach
14 to quality assessment than that specified in
the IIA Standards. The Committee does not
support the period between the performance
of an external review exceeding the five
year recommended period for external
review, as specified in the IIA Standards.
[H] Relationships with regulators
The guidance reinforces the requirement for
open, honest and constructive communication
with the Regulators. In response to consultation
feedback, the Committee did not see a
requirement to expand on the expectations
laid out in the Statements of Principle and
Code of Practice for Approved Persons,
and the UK Corporate Governance Code,
in relation to the interaction between the
Chief Internal Auditor and the Regulators.
Wider considerations
The Committee received numerous responses
requesting further guidance on the practical
application of the recommendations. The
Committee intends the guidance to establish
principles rather than detailed rules and feels
that the guidance itself is sufficiently clear
for Internal Audit to be able to apply those
principles. Nevertheless the Committee
recognises that firms would benefit from
additional guidance and instruction from the
Chartered Institute of Internal Auditors as industry
good practice becomes better established.
The Committee has also recommended that the
Chartered Institute of Internal Auditors revisits
the guidance document after a period of two
to three years, to provide the opportunity to
refine the recommendations contained herein.
This could be to reflect evolving practice
and implementation expectations, and to
correct any unintended consequences that
arise in the application of the guidance.
Roger Marshall, in his role as a Director at
the Financial Reporting Council, has made a
recommendation to the Financial Reporting
Council in his covering letter, pertaining to wider
Corporate Governance guidance for Boards and
Executive Management in relation to Internal Audit.
Committee Membership

Committee members

Roger Marshall (Chair) Audit Committee Chair, Old Mutual; Director,

Financial Reporting Council (FRC)

Paul Boyle Chief Audit Officer, Aviva (formerly Chief

Executive Financial Reporting Council)

Prof. Andrew Chambers Professor of Internal Auditing, now emeritus, Cass

Business School; advisor to the House of Lords inquiry
into audit market concentration (2010-12)

Paul Lawrence Group General Manager, Internal Audit, HSBC

Brendan Nelson Audit Committee Chair, BP; Audit Committee chair, RBS

Martyn Scrivens Group Chief Auditor, Credit Suisse

Carol Sergeant Non-Executive Director, multiple organisations; Former

Chief Risk Officer, Lloyds Banking Group; Former
Managing Director of the Regulatory Process and Risks
Directorate at the Financial Services Authority

Chris Spedding (Secretary) Senior Manager, Ernst & Young

Observers to the Committee

Stephen Brown Head of Internal Audit, Bank of England

Rosemary Hilary Head of Internal Audit, Financial Conduct Authority

Chris Hodge Director of Corporate Governance, Financial Reporting Council

Veenu Mittal Senior Associate, Accounting and Audit policy,

Prudential Regulation Authority

Ian Peters Chief Executive, Chartered Institute of Internal Auditors

Kevin Simons Partner, Ernst & Young

Pat Sucher Manager, Accounting and Audit policy, 15

Prudential Regulation Authority
About the Chartered Institute of Internal Auditors (IIA)
The IIA is the only body focused exclusively on internal auditing and we are passionate about
supporting, promoting and training the professionals who work in it. We have been leading
the profession of internal auditing for over 65 years. Our International Standards and Code of
Ethics unite a global community of over 180, 000 internal auditors in 190 countries.
We are committed to enhancing the recognition and professionalism
of internal audit in the UK and Ireland, through:

• Dynamic leadership of the profession which maximises our members’ reputation and influence
individually and collectively.
• Technical excellence through our International Standards and Code of Ethics.
• All members across the globe work to the same International Standards and Code of Ethics.
• We have 8,000 members in all sectors in the UK and Ireland.
• High quality support to our members throughout their careers, which enables
them to continually develop their professional knowledge, skills and experience
and provides other services of value to members in their roles.

These things, enacted through our staff, members and volunteers and
with the support of our suppliers and partners, make a significant
and unique contribution to the success of all organisations.

www.iia.org.uk
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
tel 020 7498 0101 fax 020 7978 2492 email [email protected]
©July 2013. Information can be made available in other formats.