New recommendations for internal auditors in the financial services industry
On 11 February, the Committee on Internal Audit Guidance for Financial Services released its consultation document, ‘Effective Internal Audit in the Financial Services Sector’.
The document seeks to establish a benchmark for internal audit functions in the UK financial services sector in the wake of the recent financial crisis. Its draft recommendations are the result of a lengthy consultation process with key stakeholders in the risk management, governance and control of financial institutions in the UK. Deloitte has been an active participant in this debate, liaising with the Financial Services Authority (FSA), the Chartered Institute of Internal Auditors (IIA) and a wide range of Heads of Internal Audit.
The draft recommendations supplement rather than replace existing guidance set out in the Institute of Internal Audit International Professional Practices Framework (IPPF), the International Standards for the Professional Practice of Internal Auditing (the IAA Standards) and the Basel Committee on Banking Supervision’s paper on Internal Audit functions in banks. They are expected to affect the internal audit functions of all UK financial institutions once implemented.
The key recommendations made are:
Role and mandate
Internal audit’s primary role should be to help to protect the assets, reputation and sustainability of the organisation.
The Board Committees and senior management should set the right ‘tone from the top’ to ensure support for, and acceptance of, internal audit at all levels of the organisation.
Scope and priorities
Internal audit’s scope should be unrestricted and it should be freely able to challenge the executive and report any concerns.
Internal audit’s scope should include:
- The design and operating effectiveness of governance structures and processes;
- Board management and strategic information;
- Setting of and adherence to Risk Appetite;
- Risk and control culture;
- Risks of poor customer outcomes, giving rise to conduct or reputational risk;
- Capital and liquidity risks;
- Key corporate events (e.g. business transformation, new products and services, outsourcing decisions, transactions); and
- Process outcomes.
Internal audit plans should be risk based, driven by a bottom up and top down assessment of risk and be reassessed continually to take account of potential future and emerging risks. Internal audit plans should be formally approved by the Audit Committee. Subsequent amendments to the audit plan should be reported and explained to the Audit Committee.
Internal audit should attend and issue reports to the Board Audit Committee and the Board Risk Committee.
Committee reporting should include:
- A focus on significant control breakdowns with a detailed root cause analysis;
- Thematic issues identified across the organisation;
- An independent view of management’s reporting on risk management, remediation plans and progress against those plans;
- An assessment of the overall effectiveness of the governance and risk and control framework of the organisation and its risk profile on at least an annual basis.
Interaction with risk management, compliance and finance
Internal audit should be independent of the risk management, compliance and finance functions of the organisation. It should include within its scope an assessment of those functions and in no circumstances rely exclusively on their work.
Independence and authority
- The Chief Internal Auditor should be of sufficiently senior standing to effectively challenge the Executive. Subsidiary and divisional Heads of Internal Audit should be of comparable seniority to the senior management whose activities they are responsible for auditing;
- Internal Audit should have the right to attend Executive and other key management meetings;
- The primary reporting line for the Chief Internal Auditor should be to the Chairman of the Board of Directors. The Chairman may wish to delegate this responsibility to the Chairman of the Board Audit Committee or in exceptional circumstances to the Chairman of the Board Risk Committee;
- The Audit Committee should be responsible for appointing the Chief Internal Auditor and for determining an appropriate interval at which to consider the need to change the incumbent. A similar policy should be followed for divisional and subsidiary heads;
- The Audit Committee Chair should recommend the remuneration of the Chief Internal Auditor and should participate in setting their objectives and monitoring their performance.
The Chief Internal Auditor should ensure that the audit team has the skills and experience to address the risks of the organisation. A regular assessment of the skills of the team against the requirements for delivery of the audit plan should be made together with an assessment of the adequacy of the function’s budget.
The Board of Directors should confirm in the annual report that it is satisfied that internal audit is appropriately resourced.
Quality assessment (QA)
The Board or the Audit Committee is responsible for the regular evaluation of the performance of the internal audit function. Delivery of the audit plan should not be the sole criterion in this evaluation.
- Internal audit should continuously monitor its policies, procedures, performance and effectiveness in light of industry developments;
- Functions of a sufficient size should develop a quality assurance capability, with the work being performed by individuals who are independent of the delivery of the audit plan. QA work should be risk based to cover the higher risks of the organisation and the audit process. The results of QA processed should be presented directly to the Audit Committee on at least an annual basis.
Relationship with regulators
Internal audit should have an open, constructive and co-operative relationship with the regulator.
As a significant influence function, the Chief Internal Auditor must fully comply with the relevant provisions of the Statements of Principle and Code of Practice for Approved Persons, the UK Governance Code, and other relevant regulatory obligations specific to internal audit.
The Committee has requested that comments on this draft guidance are submitted by the 12 April 2013.
For further information, please contact: