Effective Internal Audit in the Financial Services Sector - Key Points

Recently the Chartered Institute of Internal Auditors release their recommendations from the Committee on Internal Audit Guidance for Financial Services titled Effective Internal Audit in the Financial Services Sector.

This guidance document represents the final recommendation of the Committee on Internal Audit Guidance for Financial Services chaired by the highly experienced Roger Marshall, the Audit Committee Chair of a FTSE 100 insurance group and a director of the accountancy standards setter, the Financial Reporting Council (FRC).

The Committee on Internal Audit Guidance for Financial Services was set up as an independent, industry-led body by the Institute of Internal Auditors specifically for the purpose of developing this guidance in the wake of the credit crunch and the perceived weaknesses in the Internal Audit practice which have become to be seen as a contributory factor to the near melt down of the global financial services industry.

This is an important guidance document for both audit professionals, risk and compliance professionals and senior executives and board members as it sets out what good Internal Audit looks like in a post credit crunch world. Here are some key points;

A. Role and Mandate of Internal Audit

– The guidance makes it clear that “The primary role of Internal Audit should be to help the Board and Executive Management to protect the assets, reputation and sustainability of the organization”. Further it states that Internal Audit should achieve this by;

  • ensuring that all significant risks are identified and appropriately reported by management and the Risk function to the Board and Executive Management.

  • assessing whether they are adequately controlled.

  • challenging Executive Management to improve the effectiveness of governance, risk management and internal controls.

B. Scope and priorities of Internal Audit

  • There should be no aspect of the organisation which Internal Audit should be restricted from looking at.

  • Internal Audit should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks.

  • Should assess how effectively these risks are being managed.

  • Internal audit’s view should be informed, but not determined, by the views of management or the Risk function.

  • In setting its priorities and deciding where to carry out more detailed work, Internal Audit should focus on the areas where it considers risk to be higher.

  • Internal Audit should make a risk-based decision as to which areas within its scope should be included in the audit plan.

  • Internal Audit’s scope should include;

  • Internal governance.

  • Board and Executive Management Information (MI), including the processes and controls supporting strategic and operational decision-making.

  • An assessment of whether the information presented to the Board and Executive fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.

  • The setting and adherence to risk appetite (i.e is the business operating within appetite)

  • An assessment of whether risk appetite is embedded within the activities, limits and reporting of the organisation.

  • The risk and control culture – is ‘the way we do it around here’ aligned to the values, ethics, risk appetite and policies etc of the organization?

  • Risk of poor customer outcomes resulting in conduct or reputational risk – is the organisation acting with integrity in its dealings with customers and in its interaction with relevant markets.

  • Capital and Liquidity risk.

  • Key corporate events - restructuring or major change, new product introduction, M&A etc. Does the risk related to the event mean Internal Audit should be involved real time?

  • Outcome of processes – is the design and operating effectiveness of process and policies delivering the expected outcomes from an objectives, risk appetite and value point of view?

C. Reporting Results

When reporting their finding, Internal Audit should report through to the appropriate governance body; Board Audit Committee, Board Risk Committee etc

Reports should focus on;

  • Significant control weaknesses including robust root-cause analysis.

  • Thematic issues.

  • Independent view of risk management within the organization.

  • An annual assessment of the overall governance, risk and controls frameworks, practices and processes in place.

D. Interaction with Risk Management, Compliance and Finance

  • Effective Risk Management, Compliance and Finance functions are an essential part of an organisation’s corporate governance structure. Internal Audit should be independent of these functions and be neither responsible for, nor part of, them.

  • Internal Audit should assess the adequacy and effectiveness of the Risk Management, Compliance and Finance functions.

  • Internal Audit should exercise informed judgement as to when to place reliance on the work of Risk Management, Compliance or Finance.

E. Independence and Authority of Internal Audit

  • Chief Internal Audit should be senior enough in the organisation (normally on the executive committee) to challenge the Executive. Likewise, other senior Internal Audit roles should have comparable authority to the senior management whose activities they are accountable for auditing.

  • Internal Audit should have the right to attend and observe all or part of Executive Committee meetings and any other key management decision making forums.

  • Internal Audit should have sufficient and timely access to key management information and a right of access to all of the organisation’s records, necessary to discharge its responsibilities.

  • The primary reporting line for the Chief Internal Auditor should be to the Chairman of the Audit Committee.

  • The reporting line must avoid any impairment to Internal Audit’s independence and objectivity.

  • The Audit Committee should be responsible for appointing the Chief Internal Auditor and removing him/her from post.

  • The Chairman of the Audit Committee should be accountable for setting the objectives of the Chief Internal Auditor and appraising his/her performance.

  • The Chairman of the Audit Committee should be responsible for recommending the remuneration of the Chief Internal Auditor to the Remuneration Committee.

F. Resources

  • The Chief Internal Auditor should ensure that the audit team has the skills and experience commensurate with the risks of the organisation, and to provide effective challenge throughout the organisation and to the Executive.

G. Quality Assessment

  • The Board or the Audit Committee is responsible for evaluating the performance of the Internal Audit function on a regular basis.

  • Delivering the Audit Plan should not be the sole criterion for this evaluation.

  • Internal Audit should maintain an up-to date set of policies and procedures, and performance and effectiveness measures for the Internal Audit function.

H. Relationships with regulators

  • The Chief Internal Auditor, and other senior managers within Internal Audit, should have an open, constructive and co-operative relationship with regulators which supports sharing of information relevant to carrying out their respective responsibilities.