Internal Audit Code of Practice: a guide for Boards, Audit Committees and NEDs

Audit, risk and internal control

Internal Audit Code of Practice: a call to action for Boards and Audit Committees

September 11, 2024
Chartered Institute of Internal Auditors

Introducing the New Internal Audit Code of Practice: a call to action for Boards and Audit Committees

The article is written by Sally Clark, Chair of the Independent Internal Audit Code of Practice Review Committee, Audit Committee Chair at Citigroup Global Markets and a Non-Executive Director at A.I.B (UK) and Bupa.

In September 2024, the Chartered IIA published its new Internal Audit Code of Practice—a document I urge every board member and audit committee chair to read and act upon. As the chair of the committee responsible for drafting this new Code, I am deeply committed to the role internal audit can play in protecting the assets, reputation and sustainability of the organisations we serve. This Code is designed not just to be read but to spark meaningful conversations and actions by those at the top responsible for good governance.

My involvement with the Institute’s Code of Practice dates back to its inception in 2013 when we first addressed regulators’ concerns about the financial services sector’s failure to prevent the 2008 global financial crisis. At that time, internal audit was often overlooked, its role and impact largely invisible—even when teams were doing exceptional work. The original Code aimed to change that, starting with financial services and then extending to other private and third-sector organisations. It established clear expectations: chief internal auditors were granted the right to attend executive committee meetings, and their reporting lines were clarified to prioritise a primary line to the audit committee chair and a secondary line to the CEO. Internal audit could no longer be seen as merely an extension of the finance department.

Today, with the publication of the new Global Internal Audit Standards and the revised UK Corporate Governance Code – with its stronger focus on internal controls, we recognise the need to revisit and elevate our existing Codes. The result is a single, comprehensive Code of Practice that reflects current best practices and addresses the evolving challenges facing organisations. This is not just an update; it is a strategic tool designed to support audit committees, boards and chief internal auditors in navigating an increasingly more uncertain, risky and rapidly changing world.

Despite the progress we’ve made, there remains a gap in understanding and appreciation for the role of internal audit at board level. Too often, the audit committee chair is selected based on financial experience or a background in external audit, while expertise in internal audit is undervalued. As someone who has transitioned from a chief internal auditor role to chairing an audit committee, I know firsthand the value—and the high expectations—of having an effective internal audit function. I expect chief internal auditors to push boundaries, drive continuous improvement, make a tangible difference and be changemakers within their organisations.

The new Code is designed to encourage audit committee chairs and CEOs to fully engage with their internal audit teams, recognising the critical value they bring. It’s a roadmap for best practice, whether your internal audit function is mature or still developing. The Code serves as a guide for board members without an internal audit background, helping them understand what to ask for and why it matters. It also raises expectations for CEOs, regardless of whether their internal audit function is in-house, outsourced, or a hybrid.

This Code is not prescriptive; it does not dictate a single path to excellence. Instead, it inspires internal audit teams to strive for continuous improvement. The goal is to foster constructive dialogue. We want chief internal auditors to approach their audit committees and boards with the Code in hand, saying, “This is how we can enhance our value to you.”

The role of internal audit extends far beyond completing a series of audits and its scope goes far wider than just assessing financial risks and controls. It’s about looking at the entire risk landscape and identifying themes, understanding root causes, and providing insights on key risks that lead to actionable solutions. To truly be valued at the highest levels of the organisation, chief internal auditors need to be the ones CEOs and board members turn to for advice on the most pressing issues, even in moments of crisis.

We are not pushing against a closed door. Management teams increasingly seek chief internal auditors who can offer informed opinions and advocate for strong internal controls. This also means simplifying control systems to focus on what truly matters, cutting through the noise. We expect chief internal auditors to be bold and courageous in adding value, and we believe the new Code will encourage and support this.

Importantly, the Code is concise enough to be accessible to non-executives and CEOs, ensuring that it will be read and discussed. Great conversations are the foundation of corporate improvement, and this Code is all about facilitating those discussions. This is just the beginning. A year from now, we hope audit committees and chief internal auditors will reflect on the progress made using this Code and identify new areas for enhancement.

Let this be the catalyst for a stronger, more impactful internal audit function within your organisation.

To go further, we invite you to watch a short interview (below) featuring Sally Clark, author of this article and Sandro Boeri, President of the Chartered Institute of Internal Auditors, or to read the Code more fully here.