July 15, 2013
The UK Chartered Institute of Internal Auditors (CIIA) recently issued a guidance paper titled “Effective Internal Audit in the Financial Services Sector.” The paper contains a series of recommendations from the Committee on Internal Audit Guidance, an independent, industry-led body created by the CIIA to produce the recommendations. Although described as “guidance,” having been “welcomed” by the relevant UK financial services regulatory bodies, in practice the paper’s recommendations should be viewed as “standards” against which the internal audit functions of firms should be assessed.
To which firms and to whom does the guidance apply?
The recommendations apply to all firms operating in the financial services sector in the United Kingdom, whether or not they are headquartered there. And the recommendations are not just addressed to internal auditors; many are addressed to executive and non-executive directors of the firms, as well as regulators.
What is new?
In theory, nothing. The paper, in fact, reiterates guidance issued in other jurisdictions following the financial crisis that is intended to reinforce the importance of the role played by internal audit in the financial services sector and to remind internal auditors, company management and directors of their roles in ensuring the effectiveness of the internal audit function.
The recommendations, which are principles-based, are intended to be applied in conjunction with existing IIA Standards, but also build on those standards and provide a financial services context for them. In practice, there is an expectation that many, if not all, firms will require some change in order comply with them.
The recommendations address:
- The role and mandate of internal audit
- The scope and priorities of internal audit
- Reporting results
- Interaction with risk management, compliance and finance
- Independence and authority of internal audit
- Quality assessment
- Relationships with regulators
The recommendations include the following key points:
- The scope of internal audit should be unrestricted. Specific areas that should be within scope include:
- Internal governance
- Information presented to the board and management to support strategic and operating decisions
- The setting of, and adherence to, risk appetite
- The risk and control culture of the organization
- Risks of poor customer treatment, giving rise to conduct or reputational risk
- Capital and liquidity risk
- Key corporate events, such as the introduction of new products and services or acquisitions or divestitures
- Outcomes of processes
- Internal audit should assess whether the organization's processes and actions are in line with its values, ethics, risk appetite and other policies.
- In order to maximize its independence and objectivity, the primary reporting line of internal audit should be to the chair of the audit committee.
- Under no circumstances should internal audit rely exclusively on the work of risk management, compliance or finance; rather internal audit should always examine, for itself, an appropriate sample of the activities under review.
- Internal audit should be adequately resourced, skilled and quality assured.
The CIIA Guidance Paper can be found at:
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.