The proverbial dashboard for the risk environment of the financial services industry has been steadily flashing between yellow and red. With each new class-action lawsuit, settlement, trading loss, security breach or regulatory enforcement action, directors are asking, “How do we protect against these tail risk events that seem all too frequent?”
One unequivocal answer to that question is the need to have a comprehensive internal audit program that is responsive to the dynamic risk environment in which financial institutions operate. While internal audit is just one component of an organization’s risk management and control infrastructure, its unique role in an organization should make it a particularly powerful part of that infrastructure. Its ideally close relationship with an organization’s board of directors should give it the independence to probe wherever risks may point, and to punch above its weight when important weaknesses are identified and operational business changes are necessary. Also, its frequent position as the organization’s last line of defense can make internal audit a difference-maker in avoiding catastrophic events.
Challenges and Opportunities
In December 2011, the Basel Committee on Banking Supervision, drawing on the work of 18 banking regulators from nine countries, including three from the United States, issued a draft consultative document titled, “The internal audit function in banks.” This issuance reflects “ … developments in supervisory and banking practices and incorporates lessons drawn from the financial crisis.”1
The document outlines 20 key principles for an effective internal audit program, some of which are especially relevant to the rapidly changing operating environment, in which structural, legal, regulatory and technological changes are requiring frequent strategic and operational adaptations by banking organizations. Frequently, the result of these changes is more complexity in activities, products, delivery channels and organizational structure, which can sometimes cause diffused accountability in the operating business lines.
The Basel Committee’s 20 key principles address supervisory expectations related to the internal audit function, including its scope of coverage (specifically, Principle 6 states that “Every activity [including outsourced activities] and every entity of the bank should fall within the overall scope of the internal audit function”); management and oversight of the internal audit function (Principle 10 states, “The audit committee, or its equivalent, should oversee the bank’s internal audit function”), including internal audit’s role in corporate governance; and expectations for the internal audit function reporting to the audit committee or the board of directors and informing senior management about its findings.2
Another key feature of the consultative document is its reinforcement of the importance of the relationship between the supervisory authority and the internal audit function. The document contemplates both a close working relationship between the two as well as a thorough assessment of internal audit effectiveness by the supervisory authority.
Our Point of View
The messages in the Basel Committee document are clear:
- Professional competency and integrity are absolute prerequisites to internal audit effectiveness.
- Internal auditors, similar to their counterparts in risk management, must have the stature and respect in the organization that ensure they will be heard.
- Internal auditors must have free rein to go where the risks are along with the resources to do so.
- Internal auditors must have the fortitude to stand firm when they need to deliver bad news.
- The internal audit function is responsible to the board of directors and the audit committee, not to management.
- The audit committee is responsible for reviewing and approving the audit plan, tracking progress against the plan, reviewing results of audits performed, and assessing the performance of the internal audit function on an annual basis.
The importance of the internal audit function to a financial organization’s business success, as well as its relationship with the organization’s regulator, is increasing. As the industry environment and business activities become more complex, the internal audit function must be responsive to resulting changes, especially in terms of its professional competence and the scope of its reviews. Regulators undoubtedly will be looking for signs that internal audit functions are ineffective or not being optimized. These signs may include:
- Inadequate or poorly documented risk assessments
- Insufficient resources and tools
- Failure to accomplish the annual audit plan in a timely manner
- Reductions in audit hours, scope or coverage
- Instances of management unduly influencing the scope or results of internal audits
- An unengaged audit committee
The failure of internal audit and/or the audit committee to exercise their expected mandates is like playing Russian roulette. It can result in very unfortunate business and regulatory outcomes.
How We Help Companies Succeed
Protiviti’s Financial Services Team understands the inherent risks our clients face and the challenges they encounter in developing and maintaining effective internal audit programs, as well as the unprecedented challenges they will face in implementing so many regulatory changes in the coming years. With delivery capabilities globally, we draw on our knowledge of the financial services industry and our deep competency in internal audit to:
- Assist in performing comprehensive audit risk assessments and developing comprehensive audit plans.
- Develop or redesign internal audit work programs.
- Perform audits and/or assist internal audit departments in executing them.
- Perform QARs of internal audit functions.
- Provide the audit committee an independent view of the effectiveness of the internal audit function.
We were engaged by a global financial institution to undertake a review of its compliance audit capabilities in light of new regulatory requirements. We reviewed the organization’s approach to performing a compliance risk assessment, its existing internal audit policies and procedures, and its current complement of compliance auditors, and made recommendations to the CAE for enhancing the compliance audit program. We also provided specialty compliance audit resources to assist the organization in completing scheduled compliance audits.