Doesn't appear to have been any seismic changes as a result of the consultation, though the "need for proportionality" has been recognised, and clarification has been added that the content itself has not been mandated by the profession as best practice.
Interestingly, huge emphasis has been put on clarifying the primary role of Internal Audit as being the "protection" of a firms's assets, reputation and sustainability - does the profession feel well resourced and equipped to handle reputational defence? - while a few other elements sprung out at me;
- A focus remains on IA challenging the "tone at the top", as if the expression now carries so much weight and definition that professional guidance can be hung from it.
- "Risk Appetite" is again not defined, however IA are on the hook for assessing that it has been established and reviewed by senior management
- Emphatically declares that "...the assurance map cannot be carved up between the Risk, Compliance and Internal Audit functions", stressing that IA will be expected to include the challenge of the work of other control functions in their audit plans
- Built in some leeway around their earlier suggestion of compulsory attendance of IA function heads at Executive Committee meetings (ostensibly in order to understand strategy) - for insurers, one could anticipate that the advent of ORSA may take care of that knowledge gap
Certainly the PRA/FCA have been fast to come out with support for the final version, so I guess all control functions had better make their peace with the content and prepare appropriately.