Boards of UK companies will have to consider moving their heads of managing risk and governance every seven years as a way to avoid “groupthink”, under new measures set to be announced later this week.
The move is just one change that will appear in a revamped code for internal auditors on September 1.
The overhaul of the code, which first appeared in 2013, is intended to strengthen further the role of internal auditors, who are on the payroll of large companies and yet are expected to keep a critical and independent eye on how their employers manage risk.
These risks are not just financial but can also include reputational and legal problems on the horizon, with an internal audit acting as a board’s “eyes and ears”.
The move to rotate chief internal auditors every seven years is in line with a similar policy already in place, which requires companies to change their external auditors in order to mitigate conflicts of interest.
Other changes coming on Friday include putting more emphasis on scrutinising whether employees across the organisation are living up to the ethics espoused at the top, and a requirement for internal audit to review any regulatory failures and dissect what went wrong.
”It’s a timely reminder, 10 years on from the financial crisis, that the management of risk and the culture at financial services institutions is key,” said Ian Peters, chief executive of the Chartered Institute of Internal Auditors, which compiled the code. “This is one way that we can ensure we embed that; it’s not just good words made by the executives but there’s some action behind it.”
The code’s update is the latest attempt since the financial crisis to beef up internal audit as a bulwark against excesses of executives. Financial regulators and policymakers have tried to improve culture across the City of London following a string of scandals from benchmark-rigging to the mis-selling of payment protection insurance.
The lack of support within companies for internal audit was one theme highlighted by a parliamentary report in 2013 into failings of the banking sector following the crisis. It found that internal auditors had not had enough status within financial institutions to allow them to challenge senior bankers effectively.
That led to the creation of the original code by the institute, which sought to put internal auditors at banks and insurers on a more independent footing by recommending that they primarily report to the non-executive director who chairs the company’s audit committee, as opposed to answering to one of the executives.
The code, which applies to internal audit at all companies and not just the financial sector, was published with the support of the UK’s financial regulators, and they have helped with its overhaul. But Mr Peters said it was vital that the watchdogs impressed the code’s importance on companies that they regulate during their day-to-day dealings.
The Financial Conduct Authority said: “We continue to support the work of the Chartered Institute of Internal Auditors as they enhance the effectiveness of internal audit functions.”
The Bank of England’s Prudential Regulation Authority declined to comment but it has specific rules that stipulate lenders and insurers should have an independent internal audit function, according to the complexity of their business.