They note in summary that there is "strong support for an unrestricted scope for internal audit", while drawing attention to disparity of opinion around matters such as: IA directly challenging strategy; IA reporting to Risk Committees (rather than audit committees) in certain instances; compulsory attendance of Chief Internal Auditors at Executive Committees; and the direction of managerial reporting lines.
The proposed guidance reads very much like the Corporate Governance Code, and is relatively light. It is broken into the following sections, where I have noted anything I found new or controversial alongside (my focus being predominantly scope creep into the Risk function's activity):
- Role and Mandate of IA - increased focus on risk assessment and risk coverage adequacy
- Scope and Priorities of IA - unrestricted scope ultimately advised; expected to "independently determine" key risks, and assess "the setting of, and adherence to, risk appetite"; assess the "risk and control culture"; allows for potential involvement of IA on "real time basis" in key corporate events (mergers, disposals, new lines of business etc)
- Reporting results - factors in reporting obligations to both Risk and Audit Committees where appropriate, and builds in an expectation of an annual independent assessment of governance (which covers off one of the FSB's recommendations covered yesterday!)
- Interaction with Risk, Compliance and Finance functions - nothing new
- Independence and Authority - Chief Internal Auditor expected to be executive committee-equivalent, have the right to attend Excom, access to all MI, and report directly to either the Chairman of the Board, Audit Committee or at a push, Risk Committee. A secondary line to an executive director should only go to CEO
- Resources - all resourcing decisions effectively divorced from the business, to reside with the Chief Internal Auditor and the Audit Committee
- Quality assessment - external assessment of the function recommended periodically.
- Relationships with regulators - nothing new
- Wider considerations - expectation that the "tone at the top" of a firm should be what fosters acceptance of IA
Any controversy? Perhaps around the seniority of the Chief Internal Auditor, and their assessment of the setting of and adherence to Risk Appetite. I think my main concern as a risk practitioner would be the potential for differences of opinion around what constitutes "adequate" risk management, given the Internal Audit predeliction for COSO on all things risk-related, against the IRM or ISO31000.
Let battle commence?