New year, new FS Code

As we start the new year, Heads of Internal Audit may be wondering what lies ahead in 2021 for their internal audit functions. Last year was incredibly challenging and internal audit functions had to adapt to stay effective and relevant. For 2021, the ongoing disruption to ‘business as usual’ arising from Covid-19 means that internal audit functions will continue to work remotely, at least for the foreseeable future. They will also need to continue to be able to adapt to the business environment and risk profile of their organisations, which may be subject to challenge and change as a result of the continuing and potential lasting effects of the pandemic.

One thing that Heads of Internal Audit in the financial services sector may not have been expecting for 2021 was the publication in January of a new version of the Chartered Institute of Internal Auditors Internal Audit Financial Services Code of Practice: Guidance on effective internal audit in the financial services sector (‘the Code’). This follows the publication of the Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors in January 2020. The changes to the FS Code are to align the two codes for consistency.

While the CIIA has concluded that, overall, the Code is “fundamentally sound” and does not require substantive change, it has included some changes including:

This will mean that financial services organisations in Ireland will need to adopt the Code if they haven’t already.

This should help to avoid any confusion as to which Code applies to each sector, as summarised below:

Financial services sector

Internal Audit Financial Services Code of Practice: Guidance on effective internal audit in the financial services sector (January 2021)

Private and third sector

Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors (January 2020)

Public sector

Public Sector Internal Audit Standards

This provides greater flexibility for smaller organisations than the Code previously allowed. Where smaller organisations take advantage of this, it is important that they can explain their approach and why it is proportionate to their audit committees (or equivalent body).

Some additional requirements / clarifications regarding scope of work include:

  • Protection of customer data has been added in respect of the risk of poor customer treatment, giving rise to conduct or reputational risk. This reflects increasing risks associated with cyber security and data protection
  • Scope of internal audit work in relation to capital and liquidity risks to include the process for establishing and maintaining scenario analysis (stress testing) in relation to major risk categories, and recovery plans related to economic shocks. This is particularly relevant due to the current and downstream economic impact of Covid-19 and the fact that financial resilience is a key priority for the regulators.
  • New requirements in respect of QAIP of co-sourced providers
  • Chief audit executives should report regularly to the audit committee on the actions or progress implementing the outcomes of the QAIP review of outsourced or co-sourced external providers
  • External quality assessment should consider and report on compliance with the Code as well the IPPF and IIA Standards.

This will require some co-operation between chief audit executives and their external providers to ensure QAIP is appropriate / consistent and that actions and outcomes from the QAIP review are monitored and reported. They will also need to ensure that the scope and reporting of the external quality assessment explicitly covers the Code.

In practice, internal audit functions usually have some communication with external auditors. However, this new requirement may trigger a need to assess the frequency or quality of this communication and sharing of information.

How can we help?

We encourage Heads of Internal Audit to review the new Code in light of their current situation. In particular, where internal audit functions have made changes to their organisation, structure or ways of working in response to Covid-19, it is important to assess whether they remain effective and compliant with the Code. It is always important to bear in mind proportionality and ensure that the changes to the Code are assessed and implemented as appropriate.

PKF is always here to help you and we have put together a comparison tool to help you assess and report on the changes to the Code to your audit committees. You can download this here.

Contact our experts