Register to get free articles
Want unlimited access? View Plans
Already have an account? Sign in
The Chartered Institute of Internal Auditors (IIA) has called on the government to strengthen governance and oversight provisions in the Telecommunications Security Code of Practice, warning that current proposals do not go far enough to protect the UK’s digital infrastructure.
In its response to a Department for Science, Innovation and Technology consultation, the institute said the code should make explicit reference to the role of internal audit in providing independent assurance that telecom security risks are effectively managed.
The government’s proposed amendments aim to address evolving security threats to the telecommunications sector. However, the institute said it was concerned that the draft guidance, while covering governance and reviews, remains silent on internal audit.
The omission comes as research by the institute found that almost half of the UK’s major broadband providers do not have an internal audit function. Six of 13 leading firms surveyed were found to operate without one, raising questions about boards’ ability to oversee security and operational risks.
The institute said the lack of internal audit capacity in the sector mirrored issues seen elsewhere, such as in the energy industry, where inadequate oversight has been linked to supplier failures. It noted that energy regulator Ofgem now requires suppliers to report on their internal audit arrangements, while similar requirements apply to financial services firms regulated by the Financial Conduct Authority and Prudential Regulation Authority.
In its submission, the Chartered IIA recommended that the code be revised to make clear that telecoms security governance frameworks should align with internal and external audit and assurance mechanisms, consistent with the Government’s Cyber Governance Code published in April. It also proposed that telecom providers be required to explain how they obtain independent assurance so boards can demonstrate that security measures work effectively in practice.
The institute added that enhancing the code’s focus on governance and assurance would strengthen the resilience of the telecoms sector and help protect consumers and businesses from growing digital security risks.
Anne Kiem, chief executive of the Chartered IIA, said: “Telecommunications are the backbone of our digital economy and touch all of our daily lives. Yet too many telecom providers operate without the independent assurance that internal audit brings to business-critical risks, despite increasing digital security threats.
“Ministers need to recognise the vital role of internal audit in supporting robust governance in the Telecommunications Security Code by setting a clear expectation for companies to obtain independent assurance.”
