The Chartered Institute of Internal Auditors (Chartered IIA) has announced a new Internal Audit Code of Practice to strengthen corporate governance across the UK and Ireland. Effective from January 2025, this Code introduces a unified standard for internal audit practices across financial services, private, and third sectors. It aims to improve business resilience and address emerging risks, including those related to artificial intelligence (AI) and cybersecurity.
The Code was developed by an independent committee chaired by Citigroup Global Markets audit committee chair Sally Clark and includes input from regulators such as the Bank of England, the Central Bank of Ireland, the Financial Conduct Authority, and the Financial Reporting Council. It aligns with the updated UK Corporate Governance Code and the new Global Internal Audit Standards and sets out a principles-based approach to internal auditing.
“This Code is a pivotal advancement for the internal audit profession and corporate governance in the UK and Ireland,” said Clark. “Now more than ever, internal auditors must be bold and proactive if they are to add value to the organisations that they work within.”
New standards for auditors’ use of AI
Internal audit functions are required to assess governance and control frameworks for managing IT general controls, cybersecurity, cloud, digital, and data risks, including risks associated with AI systems. Internal audit teams are expected to use tools such as AI and data analytics to help in identifying and addressing these risks.
The code specifies that internal auditors should assess risks linked to AI, such as data privacy, algorithmic bias, and ethical concerns. It requires them to evaluate the adequacy and effectiveness of frameworks in place for AI governance.
The code also outlines the need for internal auditors to review an organisation’s cybersecurity measures, including how it detects, prevents, and responds to cyber threats. This is in response to the growing frequency and sophistication of cyberattacks.
Additionally, the new Internal Audit Code of Practice expands the scope of internal audits to include various emerging risks. These include environmental sustainability, climate change, financial crime, and social issues. The Code requires internal audit teams to conduct risk-based reviews of organisational culture, including risk and control culture as well as broader cultural risks.
The Chartered IIA has urged organisations with an internal audit function to adopt the new code and work towards full compliance. The professional body for internal auditors claims that the revised set of standards serves as a benchmark for best practices and is intended to guide internal audit functions in responding to a changing risk environment.
“As organisations confront an increasingly uncertain and dynamic risk landscape, the new Internal Audit Code of Practice offers a crucial framework that will enhance the role of internal audit in advising and providing assurance to boards and senior management over their organisation’s risks, controls and corporate governance processes,” said Chartered IIA’s chief executive, Anne Kiem. “A robust internal audit profession is essential to restoring trust in the broader audit and corporate governance ecosystem and supporting economic stability.”