ABN AMRO’s Chief Audit Executive Looks Back at a Decade of Change

ABN AMRO’s Chief Audit Executive Looks Back at a Decade of Change

ABN AMRO’s Chief Audit Executive Looks Back at a Decade of Change

Company Headquarters — The Netherlands

Number of Countries Operates in — Approximately 30

Number of Employees in Company —22,289 (as of year-end 2013)

Industry — Banking

Annual Revenues — US$10 billion (as of dec. 31, 2013)

Number in IA Function — 140

Number of Years IA Function Has Been in Place — At least 30

IA Director/CAE Reports to — Chairman of the Managing Board of ABn AMrO and Chairman of the Audit Committee


“ Internal audit functions should not be simply putting recommendations on paper and waiting for management to take action. The internal audit functions should take the action, spearheading change and improvement.”

- John Bendermacher


ABN AMRO, a Dutch bank headquartered in the Netherlands, provides products, services and financial advice for retail, private and commercial banking customers around the world. John Bendermacher is the chief audit executive for ABN AMRO, leading the company’s Group Audit function, which consists of 140 audit professionals who provide assurance and added value to ABN AMRO management, along with a host of strategic objectives, including:

  • Risk-based and scalable audit planning
  • A flexible, highly capable staff
  • An audit approach aligned with quality communication and solution management
  • Follow-up monitoring
  • Cooperation within the bank’s “three lines of defense” 

In the past 10 years, ABN AMRO has undergone significant organizational change – what was once an organization with 80,000 employees across 70 countries was subject to a merger and a de-merger before it was ultimately split up and then nationalized. “Throughout all of that change, Group Audit remained a strong entity within the bank,” Bendermacher says. “Some functions had to be built again from the ground up, but Group Audit survived with a solid position as a highly valued partner to the bank’s various business units.”

Three lines of defense

The three lines of defense model, which has been implemented in many financial institutions, involves three tiers of assurance for the organization: The first line of defense is typically provided by operational management; the second line is owned by risk management and compliance; and the third line is internal audit.

“Fifteen years ago, the internal audit profession as a whole was primarily focusing on financial audits. In a sense, I see that trend returning a bit, as regulators are seeking more assurance and comfort around regulatory reporting, especially with financial institutions and insurance companies,” Bendermacher says. At the same time, the regulators are asking that attention be paid to fundamental principles related to how to build and maintain an organization’s governance structure. “Right now – and for the past two to three years – we have seen a shift toward more governance control auditing, management control auditing, and soft controls auditing,” he says. “There is a certain set of highly sought-after and critical skills to be gained, and experience to be leveraged, by conducting these types of audits. Five to 10 years ago, the Group Audit function conducted a great deal of internal control testing. Recently, that nature of testing was moved to the second line of defense.”

An impending IPO

According to Bendermacher, while the skill sets of audit leaders have changed over the past 10 years, they have not changed enough. The skills and experience levels that he thinks will shape the next generation of audit leaders include more governance skills, regulatory and legal acumen, and soft-control assessment capabilities. Certainly, this will be true in the coming years at ABN AMRO.

“After ABN AMRO was nationalized, the Minister of Finance has had to decide when the bank will go public again,” Bendermacher says. “This will most likely take place in 2015 or 2016. Between now and then, when the IPO is issued, it is critical that the governance, risk management and internal control structures of the bank are firmly in place. This has been a wake-up call for all of us, in many ways. Our board of directors has encouraged all of the business units, and leadership, to establish clear action plans in order to fill every gap and fix every deficiency that we see so that we can provide regulators, external auditors, and all other stakeholders with the assurance that we are ready for any due diligence.”

Taking action

In the Netherlands, many internal audit functions are working the way they should by providing assurance to their organizations’ risk management and control structures, while also implicitly adding value. However, according to Bendermacher, there are still improvements to be made. “Internal audit functions should not be simply putting recommendations on paper and waiting for management to take action,” he says. “The internal audit functions should take the action, spearheading change and improvement. We have to make sure that any and all opportunities for improvement are realized.”

Bendermacher says that the optimal way to conclude an audit is to conduct a closing meeting, describe the findings and the risk, and together, identify the actions, including who owns each action and how deadlines will be met. Reporting should provide senior management with the solutions, not with the problems. “If you wait, it takes much longer to get the action going,” he says.

While Bendermacher has only been in his current position for about six months, he takes a long and strategic view of the Group Audit function. He says that the key benefits that ABN AMRO has realized from the strong positioning of the Group Audit function include the overall strength of Group Audit in the bank’s governance structure and the fact that Group Audit has become a truly trusted partner, by both the board of directors and senior management alike. “Everyone knows what we are doing, accepts our role, and works with us,” he says. But the work, and the change, has only begun for him and his management team.

“We have recently realized that our audit planning has to be much more flexible than it was before, especially since the primary project of the bank now is to be compliant with the scrutiny and regulations imposed on us by the European Central Bank. From a Group Audit point of view, we have to accomplish many things, and this can only be achieved through a flexible planning and staffing approach,” he says.

A decade’s worth of trends and change

An emphasis on controls, stemming from legislation, as well as from an evolving public perception of corporate governance, has had the biggest impact on the internal auditing profession in the past decade, according to Bendermacher. “These are very important trends we have seen over the past 10 years,” he says. “They mean that internal auditing has shifted from controls testing to a much broader view of management and governance controls. The implementation of the three lines of defense has also been important, at least in the Netherlands,” he adds.

In the past decade, many organizations have made a priority of integrating risk management into their processes for formulating and executing audit plans. This intensified focus on risk management created benefits for ABN AMRO by shifting the roles and responsibilities of the Group Audit function. “Evolving away from controls testing toward high-quality assessment of governance and management controls means that you need auditors who are more experienced, who have seen more and understand more,” he says. “They must be prepared to embrace management control framework knowledge – such as COSO – and they need to have a more comprehensive internal auditing and internal controls background.”

Bendermacher also maintains that the development of a common risk management language is essential. “We have to align the wording and the systems of risk analysis with operational risk management and compliance,” he says. “This is an opportunity that must be seized. Currently, risk management, compliance and audit are too siloed. Adopting a common language and view of risks would help tremendously. We should also work more closely with external auditors, who have made great strides in controls testing; for example, the types of testing we conduct at the bank. So it makes sense to work together, and collaborate more closely with senior management, to understand what worries them and what they would like us to be auditing. All of these factors should have an impact on our risk analysis. It would be highly constructive to have all of this input in the coming years.”

Changes in technology and a new awareness of control

ABN AMRO, like most financial institutions and other organizations around the world, leverages technology and audit tools to streamline workflow, improve testing, and communicate audit findings to stakeholders. “All of these tools have of course had their impact over the past decade,” Bendermacher says. But technology also ushers in risk.

“Data quality and data warehousing – in those areas I have seen many changes. Cybercrime and cloud computing have created very real risk. Banks are helping each other, and in the Netherlands, the larger banks are very effective and fast in reacting to these threats, but the danger is growing. In this era of increased threats, internal audit should play a role in continuous auditing and monitoring of all traditional and emerging risks.”

Bendermacher says that 10 years ago the main focus was on key controls, a focus that spread from the United States to Europe in the wake of Sarbanes-Oxley. “I said then, let’s not overemphasize the key controls. Being in control is not only about key controls – you have to look at non-key and soft controls, too. Otherwise, you will develop a lack of real internal control awareness. You will rely too heavily on simply checking off the boxes. In my opinion, that era actually eroded true control.”

The decade ahead

In the next decade, Bendermacher expects to see the reporting line of internal audit become more independent, and reporting of non-financial risks to be combined between the second and third lines of defense. He would also like to see a stronger stance on solution management – not simply the writing of recommendations, but true communication and follow-up.

“I think that skill sets will need to continue to change and evolve,” he says. “The internal audit professional will need to broaden skills. More communication skills, more comprehensive business knowledge, a broader definition of control, a greater awareness of technology-related risks, and a better understanding of how to connect all the dots for senior management to take action.”

“The key takeaway is that CAEs embracing the future auditor vision are better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk-focus and forward-looking, change-oriented and highly adaptive behavior.”

- “The Future Auditor: The Chief Audit Executive’s Endgame,”
The Bulletin, Volume 5, Issue 6, Protiviti