Bringing you up to speed: Changes in 2025 impacting internal auditors in the UK..

As of March 2025, internal auditors in the UK should be aware of several significant regulatory changes and emerging areas impacting which can impact us. Here, we provide a summary of what internal auditors need to be up to date on.

1. Establishment of the Audit, Reporting and Governance Authority (ARGA)

The UK government is in the process of replacing the Financial Reporting Council (FRC) with a more robust regulator, the Audit, Reporting and Governance Authority (ARGA). This transition aims to enhance oversight in the audit sector, addressing past corporate failures and improving audit quality, as well as implement improvements to corporate reporting, governance and director’s accountability. While the exact timeline for ARGA’s full implementation remains uncertain, internal auditors should prepare for its forthcoming influence on regulatory practices.

2. Revisions to the UK Corporate Governance Code

Effective from January 2025, updates to the UK Corporate Governance Code have been introduced to strengthen corporate governance frameworks. Key changes include:​

• Enhanced Board Responsibilities: Boards are now required not only to establish but also to maintain the effectiveness of risk management and internal control frameworks. This entails continuous monitoring and annual assessments, with clear reporting to stakeholders.​
• Comprehensive Control Evaluations: The annual assessment must cover all material controls, encompassing financial, operational, reporting, and compliance aspects. Internal auditors play a crucial role in providing assurance on these controls.​

These revisions necessitate that internal audit functions align their practices to support boards in meeting these enhanced obligations. ​

3. Introduction of the Cyber Security and Resilience Bill

The proposed Cyber Security and Resilience Bill aims to bolster the UK’s defenses against cyber threats by updating existing regulations. Key provisions include:​

• Mandatory Compliance: Organisations will be required to adhere to established cybersecurity standards and practices, ensuring essential measures are implemented.​
• Regular Audits and Reporting: Businesses must demonstrate compliance through regular audits and reporting, emphasizing the importance of robust cybersecurity frameworks.​

Internal auditors should prepare to assess and enhance their organisations’ cybersecurity measures in line with these anticipated requirements.

4. Adoption of the Internal Audit Code of Practice

To improve corporate governance and restore trust, a new Internal Audit Code of Practice has been introduced. This code urges internal auditors to explicitly review risks related to:​

• Company culture​
• Climate change​
• Artificial intelligence​
• Cybersecurity​
• Fraud and economic crime​

While adoption is voluntary, aligning with this code is considered best practice and demonstrates a commitment to comprehensive risk management. ​

5. Implementation of the Global Internal Audit Standards

Effective from January 2025, the Institute of Internal Auditors (IIA) has introduced new Global Internal Audit Standards. These standards emphasize:​

• Professionalism: Upholding integrity, objectivity, and due professional care.​
• Performance: Enhancing the quality and impact of internal audit activities.​
• Governance: Ensuring effective oversight and alignment with organisational objectives.​

Internal audit functions should review and update their charters, manuals, and training materials to conform with these standards. ​

6. Focus on Environmental, Social, and Governance (ESG) Factors

There is an increasing emphasis on integrating ESG considerations into audit practices. Internal auditors are expected to:​

• Assess Sustainability Practices: Evaluate the environmental and social impacts of business operations.​
• Ensure Robust ESG Reporting: Verify that ESG disclosures meet regulatory standards and reflect actual performance.​

This trend underscores the need for internal auditors to develop expertise in ESG-related risks and reporting. ​

7. Enhanced Cybersecurity and Technological Proficiency

With the rise in cyber threats and technological advancements, internal auditors are increasingly required to:​

• Evaluate Cybersecurity Measures: Ensure that adequate controls are in place to protect against cyber risks.​
• Leverage Advanced Technologies: Utilize artificial intelligence and data analytics to enhance audit processes and risk assessments.​

Staying abreast of technological developments is essential for effective internal auditing in the current landscape. ​

By proactively adapting to these regulatory changes and emerging trends, internal auditors in the UK can significantly contribute to strengthening their organisations’ governance, risk management, and control processes.

What happens now?

My Audit Spot is working hard to bring the latest templates, guidance, tools and insights to its members to help them successfully navigate the large number of abovementioned changes.

To keep up to date, simply create a free account, or become a member to be included in our monthly mailing list.