New draft code for financial sector internal audit reflects the need for progressive technology solutions
As you read this article, a new draft code for those involved in internal audit for the financial services sector is being drawn up by the Chartered Institute of Internal Auditors (IIA). 1 When finalised, the code will provide UK financial services sector-specific guidance for the first time and will set a benchmark against which boards and regulators can assess the effectiveness of internal audit functions.
- Internal audit’s primary role is clearly stated as helping to protect the assets, reputation and sustainability of their organisation.
- The scope of internal audit should be unlimited – internal auditors should not be barred from assessing the management of any risk in any part of the business.
- Internal audit should assess whether the organisation’s processes and actions are in line with its values, ethics, risk appetite and policies.
- To ensure its independence and authority the primary reporting line of internal audit should be to the chairman of the board of directors, not to the chief executive.
- Internal audit should be adequately resourced, skilled and quality assured.
The code aims to encourage internal auditors to obtain a consistently wide view across the range of risks within an organisation and also allows them to exert greater influence to ensure risks are managed properly throughout the financial services sector. This new code serves to clarify the role of internal auditors in relation to the quality of information on which boards base their decisions and whether the risks associated with key decisions are properly managed. Ultimately it is an important contribution to the strengthening of internal audit’s role in improving risk management. The IIA’s deadline for comments on the draft code is Friday 12 April.
With the imminent arrival of these IIA code recommendations in an increasingly complex, changing and regulated business environment, it is without doubt that the role of internal audit is continually evolving. Shareholders, board members and management are placing greater emphasis on how internal auditors can play a role in evaluating and mitigating risks, their involvement in IT and operations, managing fraud risk, and playing a greater role in corporate governance. These changes will also bring about a greater connection between internal audit with compliance and risk functions. This puts the spotlight firmly on the rise of integrated GRC. Organisations that understand and apply the principles of integrated governance, risk and compliance, in both processes and technology, have a real competitive advantage. They improve their ability to make well informed strategic decisions and respond with agility and speed to threats (legal and ethical breeches) and opportunities (customer satisfaction and trust) that arise.
Consequently practitioners are progressively realising the need for better technology to support a robust audit framework in their changing climate. The increasing variety of technology in the market is resulting in greater innovation on the vendor side and more intense scrutiny on the practitioner’s behalf. While the Gartner Magic Quadrant software vendors are well known there are some surprising new players in the market worth checking out that go far beyond the requisite senior exec heat map and include items such as highly valuable and innovative mobile applications. The GRC Innovator Awards 2013 finalists will reveal a good overview.
Also look out for the Open Compliance & Ethics Group (OCEG.org) a well-respected, non-profit GRC think-tank who hold vital key for ‘outside of software’ GRC integration strategy with their ‘open standard’ capability model for Principled Performance®. In essence a highly flexible and detailed GRC integration road-map that can save your organisation countless and potentially fruitless months trying to come up with something yourself.
The IIA recommendations certainly reflect the huge relevancy of the market issues and are to be applauded for a move that will more effectively protect organisations from problems of the sort which impact the public purse, and damage reputations and confidence in the financial system. In light of the forthcoming IIA Code, internal audit professionals look certain to give serious attention and greater consideration to the assistance of technology in their increasingly complex role.