The role of Internal Audit (IA) functions in banks and financial firms is changing. Their core role – to provide assurance of the safety and soundness of the bank to the board and to the regulators – is now more challenging, more complex and more critical than ever. With the transformation of the sector following the financial crisis, particularly in terms of regulation and technological advances, banks need to deal with more risks and more controls in managing their business.
As part of this, the IA function must be ‘fit for purpose’ in assuring that a bank is well controlled at all levels. If IA does not identify and understand the critical risks the bank is exposed to and the effective controls to mitigate them, then its function is redundant. The success of the IA function is the one not judged by the extent of the programme of projects it conducts each year, but rather how it prioritises its work plans by deploying resources and budgets where the organisation is extremely vulnerable.
The pressures on IA functions are growing. Firstly, the swathe of new regulations being imposed on banks has resulted in internal auditors playing a primary role in monitoring compliance and liaising with the regulators. They have effectively become ‘quasi-regulators’ and regulators now view them as a valuable resource, preferring to communicate with a competent IA team rather than attempting to gather and comb through all the relevant documents and data themselves.
Secondly, when it comes to advances in technology, the implications for audit teams are vast. They have a vital role in assuring that there are adequate processes in play for new product approvals, so that effective controls have been built and then challenged by the risk and compliance functions. An illustration would be the acquisition of customers though big data and predictive analytics that would not compromise privacy rules and KYC processes.
The fact that audit teams are now presented with reviewing increasingly complex and cumbersome audit trails, often in global institutions with siloed business streams and second line functions, means they are under huge pressure to maintain their primary purpose; to provide assurance to executive management and regulators that risks within banks are monitored and highlighted effectively. Moreover, because of the siloed structure of a typical complex organisation, auditors often have to join the dots in order to identify a threat. In recognition of this, the Chartered Institute of Internal Auditors and the Institute of Internal Auditors have issued standards and guidance to support internal audit teams, but banks also need to recognise the complexities of auditing in this new environment and ensure they are properly equipped.
Firstly, banks must empower IA teams with influence at Board level. As the Chartered Institute of Internal Auditors has recommended, they should be reporting to the Board Risk Committee (and any other relevant Committees), and tasked with reporting on emerging risks and control failures. It’s vital that conflicts of interest are removed (such as the audit team reporting into the CFO), so there is no reticence to report the facts honestly.
Secondly, audit teams must have the skills and human capital in place to manage the volume of work and technical challenges they face. In the past, the level of skill and number of staff within IA teams has been lacking. This needs to be regularly reviewed to ensure that audit teams are able to keep on top of the evolving risks and regulations.
Thirdly, a rigorous methodology for delivering effective controls across the whole organisation must be clearly defined. Success must be judged not on the completion of the projects but on the “value add” to the organisation in identifying risks, reorganising inefficient structures and highlighting key vulnerabilities.
Finally, as we move into the digitisation of banking services, it is crucial for IA to be involved and “assure” that the “risk owners” and “risk challengers” have controls in place to identify and mitigate the core risks. Indeed, IA should not be conducting box-ticking exercises but rather project budgets should be prioritised and be aligned with the greatest risks to the bank, in an optimal control framework. The new agenda for IA is to ensure that the Target Operating Model is fit for purpose to deliver the Business Model and is in sync with the risk appetite. Active IA is the core driver assurance that the organisation is delivering sustainable shareholder returns and risk mitigation programmes are (being) implemented to reduce vulnerabilities. As a very senior regulator once commented “I don’t want any surprises”.