Internal Audit at HSBC Builds Credibility and Helps Influence Change from the “Top Table” Down
Company Headquarters — United Kingdom
Number of Countries Operates in — 75
Number of Employees in Company — 254,000
Industry — Banking and Financial Services
Annual Revenues — US$78 billion (as of Feb. 24, 2014)
Number in IA Function — 900
Number of Years IA Function Has Been in Place — 20+
IA Director/CAE Reports to — Chair of the Audit Committee and Chief Executive Officer
“If those of us in internal audit can’t make a positive impact on our organization in today’s environment, then frankly we must be doing something wrong. The opportunity we have right now is immense.”
- Manveen Pam Kaur
HSBC Holdings Group plc is one of the world’s largest banking and financial services organizations. Established in 1865, HSBC credits the inspiration for its founding to Scotsman Thomas Sutherland, who worked for the Peninsular and Oriental Steam Navigation Company. Sutherland recognized the need for local banking facilities in Hong Kong and on the China coast to help finance growing trade between Europe, India, and China. HSBC is named after its founding member, The Hongkong and Shanghai Banking Corporation Limited.
Today, HSBC is a multinational company headquartered in London. It operates four global businesses–commercial banking, private banking, global banking and markets, and retail banking and wealth management. HSBC serves about 54 million customers through a network of more than 6,300 offices in 75 countries and territories.
Manveen Pam Kaur is head of internal audit and sits on the group management board for HSBC. She joined the company in April 2013, taking over the role from longtime HSBC executive Paul Lawrence, who retired. Kaur has a career in the banking and financial services industry that spans nearly three decades, and joined HSBC from Deutsche Bank, where she had served as head of internal audit since 2011.
At HSBC, Kaur oversees an internal audit team of 900 who work across the world, including at the bank’s affiliates. The team is based primarily in major centers of business for HSBC: London, New York, and Hong Kong. There are also sizable audit teams operating in countries such as China and India, and regional teams, in Latin America and the Middle East.
Kaur has 11 direct reports – many are heads of audit for major HSBC banking entities. Kaur and her team collaborate regularly and meet in person as a group several times a year. Kaur reports functionally to the chair of the audit committee of HSBC’s board of directors; administratively, she reports to HSBC’s chief executive officer.
Maintaining independence yet exercising influence
Over the past decade, Kaur says she has observed growing pressure on internal audit functions across the globe to respond to “enhanced expectations from a range of stakeholders” – from regulators to executive management. Because of these expectations, Kaur says today’s internal audit leaders need to ensure the right skill sets are in the function to make it more forward-looking and driven by outcomes as opposed to just operational and control reviews.
“That’s a big shift. Internal audit still has to be very good at what’s traditionally been required of the function, of course – being a third line of defense. But it now also must support the sustainability of the franchise from a long-term perspective,” she explains.
While many internal audit functions today strive to be viewed as a partner in their organizations, Kaur says she challenges the use of that term to describe internal audit. She explains, “For internal audit, independence is a critical prerequisite for the credibility of the function. Now, you also should be able to make a difference in the company by objectively influencing decision-making. A good internal audit function supports the organization in improving its control environment, and helps management to anticipate emerging risks and to prepare for them.”
One of the most positive changes Kaur says she has witnessed in recent years in the financial industry is the evolution of the risk function into a “more cohesive and a strong second line of defense.” She says, “If you have a well-developed second line of defense, you can rely on it more because it can be a good indicator of the actual risk culture environment in the organization. You can develop stronger combined assurance maps, which allow you to look at risk profiles more holistically and target audit work appropriately.”
Kaur adds, “Nevertheless, risk functions are still evolving, and I do think that even if a strong risk and business control function exists, internal audit still needs to conduct in-depth testing to gain their independent assurance.”
Internal audit no longer a “backwater”
Kaur says the banking industry, as a whole, can improve in terms of getting more value from internal audit – and that starts by helping to ensure the function is a magnet for talent from all lines of business. “In non-financial services industries, you see internal audit functions that operate like learning academies, a place where high-potential employees spend time as a way to prepare for assuming more senior business roles in the organization,” Kaur explains. “Some companies even make it mandatory for employees to spend a specific number of years in audit or control before moving on to certain roles in the company.”
She continues, “Unfortunately, in financial services, I think there are many people who have worked only in audit during their careers. They haven’t had the opportunity to move from audit into the business and back, which I think is quite important if the function is actually going to help drive positive change in the organization and attract talent from other sources.”
Kaur says almost every person on her top team has at least five to 10 years of non-audit experience in senior business roles in financial services. “Balanced experience is necessary because it helps internal auditors to build respect and credibility in the organization,” she says. “When telling someone to make improvements, it helps if that person knows that you understand their business, and their perspective.”
Effective internal audit leaders are essential to building credibility for the function on a broader level, according to Kaur. “How you position the internal audit function is critical to its effectiveness,” she explains. “For example, it’s a known fact that I sit on the group management board at HSBC along with other heads of business and functions. In most organizations, this is not the case. But if internal audit’s leadership is not represented at the top table, the function is at risk of being viewed as subservient to management.”
Kaur says internal audit leaders also have to be able to show they’ve earned their seat at the top table: “An effective audit leader today needs strong interpersonal skills and the ability to influence.”
Looking ahead, Kaur believes many internal audit leaders in the banking and financial services industry will find it easier to recruit non-audit talent into the function: “Many functions have already been able to attract talent since the financial crisis because businesses have not been growing so fast. While internal audit may have once been viewed as a backwater, in a changing world where risks and controls are becoming more of a focus, the importance of the function has grown in the eyes of both executive and nonexecutive stakeholders.”
Adding value – proactively and creatively
Kaur says that the higher profile of internal audit within a business today gives the audit team both opportunity and flexibility to find new ways to add value proactively to the organization. “By monitoring business and regulatory developments and market events, and applying lessons learned, internal auditors can help their company to anticipate future challenges and requirements,” she says. “They can assess today’s control environment and identify potential gaps based on the trends they are observing today. That’s one area where they can add a great deal of value to the business.”
Internal audit is uniquely positioned to provide an end-to-end perspective on what’s happening in the business and anticipate what could impact it in the future, Kaur says: “Internal audit is perhaps the only function with the mandate and the ability to look at all business functions within an organization and see how the various pieces fit – or don’t, as the case may be.”
Kaur says internal auditors should not be afraid to think creatively in order to find other ways to add value to the business. One suggestion she offers is to evaluate major change initiatives, like information technology system implementations, to compare the business case to what was actually achieved.
“If those of us in internal audit can’t make a positive impact on our organization in today’s environment, then frankly we must be doing something wrong,” says Kaur. “The opportunity we have right now is immense.”