As we start the new year, Heads of Internal Audit may be wondering what lies ahead in 2021 for their internal audit functions. Last year was incredibly challenging and internal audit functions had to adapt to stay effective and relevant. For 2021, the ongoing disruption to ‘business as usual’ arising from Covid-19 means that internal audit functions will continue to work remotely, at least for the foreseeable future. They will also need to continue to be able to adapt to the business environment and risk profile of their organisations, which may be subject to challenge and change as a result of the continuing and potential lasting effects of the pandemic.
One thing that Heads of Internal Audit in the financial services sector may not have been expecting for 2021 was the publication in January of a new version of the Chartered Institute of Internal Auditors Internal Audit Financial Services Code of Practice: Guidance on effective internal audit in the financial services sector (‘the Code’). This follows the publication of the Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors in January 2020. The changes to the FS Code are to align the two codes for consistency.
While the CIIA has concluded that, overall, the Code is “fundamentally sound” and does not require substantive change, it has included some changes including:
Clarification that the Code applies to organisations operating in the financial services sector in Ireland as well as in the UK.
This will mean that financial services organisations in Ireland will need to adopt the Code if they haven’t already.
Clarification that the Code contains guidance specific to the financial services sector and that organisations outside of the financial services sector should follow the Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors.
This should help to avoid any confusion as to which Code applies to each sector, as summarised below:
Financial services sector
Internal Audit Financial Services Code of Practice: Guidance on effective internal audit in the financial services sector (January 2021)
Private and third sector
Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors (January 2020)
Public Sector Internal Audit Standards
Further emphasis on proportionality of application – how smaller organisations apply the principles and procedural requirements of the Code will depend on their size, risk profile and internal organisation and the nature, scope and complexity of their operations.
This provides greater flexibility for smaller organisations than the Code previously allowed. Where smaller organisations take advantage of this, it is important that they can explain their approach and why it is proportionate to their audit committees (or equivalent body).
Widening of reporting – there is an additional requirement to report to the board risk committee on whether the organisation’s risk appetite framework is being adhered to. Reporting to other board committees is also referenced within the new Code.
Some additional requirements / clarifications regarding scope of work
Protection of customer data has been added in respect of the risk of poor customer treatment, giving rise to conduct or reputational risk. This reflects increasing risks associated with cyber security and data protection.
Scope of internal audit work in relation to capital and liquidity risks to include the process for establishing and maintaining scenario analysis (stress testing) in relation to major risk categories, and recovery plans related to economic shocks. This is particularly relevant due to the current and downstream economic impact of Covid-19 and the fact that financial resilience is a key priority for the regulators.
Additional requirements in respect of the Quality Assessment and Improvement Programme (QAIP)
New requirements in respect of QAIP of co-sourced providers.
Chief audit executives should report regularly to the audit committee on the actions or progress implementing the outcomes of the QAIP review of outsourced or co-sourced external providers.
External quality assessment should consider and report on compliance with the Code as well the IPPF and IIA Standards.
This will require some co-operation between chief audit executives and their external providers to ensure QAIP is appropriate / consistent and that actions and outcomes from the QAIP review are monitored and reported. They will also need to ensure that the scope and reporting of the external quality assessment explicitly covers the Code.
New requirements for the chief audit executive and the partner responsible for external audit to ensure appropriate and regular communication and sharing of information.
In practice, internal audit functions usually have some communication with external auditors. However, this new requirement may trigger a need to assess the frequency or quality of this communication and sharing of information.
We encourage Heads of Internal Audit to review the new Code in light of their current situation. In particular, where internal audit functions have made changes to their organisation, structure or ways of working in response to Covid-19, it is important to assess whether they remain effective and compliant with the Code. It is always important to bear in mind proportionality and ensure that the changes to the Code are assessed and implemented as appropriate.
PKF is always here to help you and we have put together a comparison tool to help you assess and report on the changes to the Code to your audit committees. You can download this here.