The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
FRC responds to Committee on Internal Audit Guidance for Financial Services
Chris Spedding Secretary Committee on Internal Audit Guidance for Financial Services By email: [email protected]
12 April 2013
Dear Chris
EFFECTIVE INTERNAL AUDIT IN THE FINANCIAL SERVICES SECTOR
Thank you for giving us the opportunity to comment on the draft recommendations set out in your consultation document, "Effective Internal Audit in the Financial Services Sector". Chris Hodge sat as an observer to the Committee, and we are pleased that you have been able to reflect some of the comments he made in that capacity in the consultation document.
The main purpose of this letter is to respond formally to the recommendation addressed to the FRC, although we would also like to comment on some of the other issues raised in the consultation document.
The FRC will be reviewing the impact and implementation of the UK Corporate Governance Code later this year, and will decide following that review whether to recommend changes to the Code. Any proposed changes would be subject to consultation in early 2014, and would take effect from October 2014. Also in 2014, the FRC will initiate an exercise to consider whether merging our various guidance notes would be helpful to boards and committees. Your recommendations will be considered as part of both of those reviews.
As you will be aware, the Code does not currently mandate that listed companies should have an internal audit function, although where there is no such function it does require audit committees to review annually whether one is needed. For this reason the guidance that accompanies the Code does not specify in detail either the role or expected conduct of the internal audit function, other than by reference to the IIA's Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. That said, there are references to internal audit in our guidance notes on internal control and the role and responsibilities of audit committees, and in the draft guidance on going concern on which we are currently consulting.
When carrying out that assessment we will have to be mindful that, unlike your recommendations, the UK Corporate Governance Code and its associated guidance applies to all listed companies and not just the financial services sector. Without wishing to pre-empt the outcome of those reviews, I would note that we have in the past taken the view that recommendations on risk management and internal control addressed to the financial services sector should not necessarily be applicable to all companies; for example, we chose not to extend to all companies the recommendation in the Walker Report that there should always be a separate board risk committee in banks and other systemically important financial institutions.
As is acknowledged in Roger Marshall's covering letter, even within the financial services sector the Committee's detailed recommendations may not be applicable to smaller institutions. For that reason, we believe it would be helpful if the financial services regulators were to indicate that they consider these to be "comply or explain", rather than binding, recommendations.
We had two other general comments on the draft recommendations.
First, some recommendations are capable of being interpreted as suggesting that the internal audit function should undertake activities that are rightly the responsibility of the board (for example, that internal audit should review "the design and operating effectiveness of governance structures" and the scope of the risk assessment set out in Recommendation 5). We are sure this was not the committee's intention, and it would not be consistent with the view expressed in the IIA's recent position paper on the "three lines of defence" model. We think the potential for misinterpretation could be removed by a clear statement in Recommendation 1 that the role of the internal audit is to assist the board in carrying out its responsibilities rather than assume them for itself, and that the other recommendations should be seen in that context.
Second, while we welcome the emphasis placed on independence in the consultation document, we think that more consideration might be given to what independence means and how it can be safeguarded when - in contrast to independent non-executive directors and external auditors, for example - the internal auditor will often be a full-time employee of the company. Getting the reporting lines right is clearly critical, but so are other factors such as performance measures and incentives.
Yours sincerely
Melanie McLaren Executive Director Codes and Standards DDI: 020 7492 2406 Email: [email protected]
Aldwych House, 71-91 Aldwych, London WC2B 4HN Tel: +44 (0)20 7492 2300 Fax: +44 (0)20 7492 2301 www.frc.org.uk The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: as above.