Has Internal Audit Measured Up? What Do We Do Next?

The following article was first published in the Global Risk Update published by Risk Reward Limited.

Over the past few years banks have constantly been in the news, unfortunately rarely for the right reasons. A number of different scandals have hurt both the reputation and image of the industry. Foremost amongst these scandals are:

The Financial Crisis—a well documented global disaster
A Foreclosure Crisis—the reaction of banks to mortgage defaulters
Libor Manipulation—affected the most important borrowing/lending rate in the world
Rogue Trading—several episodes where unauthorised trading exposures lead to huge losses
Energy Markets Manipulation—subject of major new investigation by the SEC/CFTC
Money Laundering—a number of major banks have paid very hefty fines
Insider Trading—has involved some major figures on Wall Street and the City
Product Mis-Selling—massive fines for major banks

This does not make good reading for anyone involved in the industry but auditors in particular have real cause for concern.

The Failure Of Internal Audit

Internal audit is supposed to be the one function within an organisation that provides independent overview and assessment of all other functions i.e. not just management in general but risk, credit, compliance and finance. It is internal audit’s responsibility to provide senior management with an assurance that all functions are performing to the best of their ability such that they will safeguard the assets and reputation of the institution.

Yet it is apparent that in one form or another the function has failed, and the fact is that it continued to fail, despite the plethora of new rules and regulations that have been imposed in recent years.

Whichever way you want to look at it, the ongoing inability of internal audit to identify, report or cause management to act on major failings reflects very badly on banking institutions on a whole but particularly badly on auditors, internal as well as external. The sheer scale of some of the scandals noted above makes such failure even all the more disturbing.

My own personal experience, gained from working as a consultant with a number of major global financial institutions, is that internal auditors themselves have become sceptical of their role and the effectiveness of their work. While this should not be surprising, it does lessen the likelihood that internal auditors will be able to rise to new challenges.

What does all this mean for the internal auditor?

How can auditors continue to retain the faith of management or indeed faith in themselves?

Is the current approach to internal audit flawed and if so what do we need to change?

If there is a need for change where do we begin and what do we need to do?

Governance And Internal Controls Remain The Primary Responsibility Of Management

The first thing that internal auditors have to remember is that the maintenance of an appropriate system of governance and internal controls remains the primary responsibility of management, and not internal audit.

Such an assertion is perhaps small comfort but for the internal auditor it is important from two critical perspectives. The first is that it firmly establishes where the primary blame for failure resides and the second is that it provides a very clear and strong indication as to where internal auditors must begin their quest for improvement.

The quest for improvement must begin with management and the business.

Challenging the Board and Senior Management: Conduct Risk

It is imperative that internal auditors understand that the quest for better governance and internal controls does not begin with the audit of governance and internal controls but with a thorough examination of management and the business.

If internal auditors are to change and add greater value then they must move beyond simply examining and reporting risks and internal control failures after the fact. Instead, internal auditors should adopt an approach which includes challenging management and the board to explain to them how and why the very nature of their business and operational strategies are consistent with good governance and internal controls.

For example, internal auditors should be asking of management how the risk appetite and profile of the business is consistent with the aims and objectives of the institution. They should enquire and determine as to whether or not there are periodic review mechanisms that ensure all assumptions made about the business; credit, risk, markets, customers, profitability and overall resources remain consistent with those aims and objectives.

More importantly, internal  auditors should enquire as to how the institution’s business approach, including its delivery of products and services, will specifically impact customers under a variety of scenarios, and how such an approach deters or avoids negative outcomes.

The absolute need to adopt this approach was recently reinforced by messages from the FCA (Financial Conduct Authority) which has developed a laser-like focus on “conduct risk”.

A loose interpretation of conduct risk is “the conduct or behaviours arising from the provision of products or services that are likely to have an impact on customers. Institutions should note that the assessment of conduct risk goes beyond compliance with regulations”.

In other words, it is no longer good enough for an institution to focus on complying with regulations as in the event of a negative outcome for customers, its conduct and behaviours will also be taken into account.

Auditing Corporate Governance

As internal auditors must be prepared to challenge the board and management on their business assumptions as well as their stewardship of corporate governance and internal controls, the obvious question that arises is; how should one audit corporate governance?

The first and more traditional approach is checking to ensure that there are clear lines of authority from the board and senior management and that every business line or activity is covered by those lines of authority. Consistent with this is the need to ensure that there is an authority and a mechanism for assessing and reporting each of those business activities by all of the relevant control functions: audit, risk, SOX, credit, compliance and finance.

All of the above should be captured within the institution’s corporate governance framework which should be documented and signed-off at the highest levels. The framework must also include the relationship between the board, and management and its various committees, e.g. Audit Committee, with the rest of the institution.

The second approach is one which many (if not most) organisations find more difficult but which in reality is just as important as the first. It involves ensuring that management has established a mission and a system of values (cove            ring such issues as ethics, integrity, whistleblowing etc.) for the institution. It is then important to establish whether or not there are appropriate mechanisms for ensuring that said mission and values are recognised, understood and consistently practised throughout the institution, including in the delivery of products and services.

The real difficulty is that this goes well beyond the realms of compliance activities and into the question of how one engenders good behaviours.

The Challenge Of Overly Complex Organisation Structures and Systems

Another area in which internal auditors must challenge management is in the very structure of the business they are required to audit.

One of the most significant challenges for many internal auditors in large organisations is that the structure of many institutions or business units, meaning the IT systems, processes and procedures, has become overly complex. Sometimes, this is due to the sheer size of the organisation but this is not always necessarily the case. In such instances, the most difficult part of the audit is determining the scope and then defining where it begins, where it ends and what needs to be covered in between.

Rather than routinely accepting such complexity as a fait accompli, internal auditors should be advising management that such structures expose the organisation to higher yet avoidable levels of risk, and then work with management to reduce it.

Undertrained, Underdeveloped and Poorly Integrated Operations Staff

We have all experienced it.

You are conducting an audit of operations and you ask someone in the processing chain what happens to a document or process after they have completed their task. You get a blank stare after which you are politely told “I don’t know”. It is then you realise that many of the people working in operations have no idea what the person to either the left or the right of them is doing.

This might be OK if you are in a bottled water factory where someone watches to see that all the bottles are filled with water, another checks to see that the caps are on and finally someone ensures that that bottle of water with a cap on it is placed in a box or on a palette for distribution.

However, banking and financial services are so different due to complexity and continuous change. As such, if operations staff remain static, it increases the risk that something might fall through the cracks. The problem is this; in banking and financial services things that fall through the cracks are internal control weaknesses that could cost millions and sometimes billions of dollars.

Auditors should encourage Operations to improve the efficiency and effectiveness of their operations teams by way of better staff training and team development. There is no question that a similar argument can routinely be made for managers and staff in other functions such as credit, risk and compliance.

Internal auditors should always remember that the operations internal control function is the first line of defence and the better that works the better it is for both auditors, management and shareholders.

Improving The Efficiency and Effectiveness Of Audits

There are far too many audit departments that have programmed themselves to do a certain number of annual audits irrespective of what is happening around them. In many cases the whole idea of the audit function is to impress the boss by demonstrating just how many audits were completed on-time during the year. Where there is a branch network the focus becomes how many branches can be audited in the year.

I call the above “robot auditing” in that it turns the whole internal audit department into robots and the mere act of doing an audit is an objective in of itself. Why is this a negative approach?

  1. It emphasises quantity over quality and that can never be good under any circumstance
  2. It is inevitable that some areas of the business will require greater focus and attention than others
  3. Turning auditors into robots has an adverse effect on the morale of the audit team
  4. Poor morale leads to poor audits and higher staff turnover which again leads to poor audits

There is a simple way to avoid all of this. Adopt a risk-based audit approach.

Adopting A Risk-Based Audit Approach

In order to adopt a risk-based audit approach the internal audit function must establish a consistent framework by which is assesses the risk inherent in each identifiable business activity. This assessment would include such factors as product or service complexity, P/L and/or balance sheet impact, the legal and reputational risks involved and the current state of the internal controls.

Once such a framework has been established, internal audit then has a approach which they can present to management describing what specific areas of the business they will focus on and why, as well as, why other areas will move from an annual, biennial or even quarterly audit.

The risk-based audit approach enables scarce audit resources to be focused on the areas of the business which have the most risk. This automatically enables internal audit to provide management with greater assurance and insights as to the status of governance and internal controls and the risks they potentially represent to the organisation and its assets.

Training And Development Of Internal Auditors

Finally, in addition to gaining knowledge about the technical aspects of products and how they must be managed, it is imperative that internal auditors keep abreast of all the legal and regulatory developments which impact financial services.

Unfortunately, the post financial crisis era has witnessed a plethora of new legislation and regulation from the US, the UK, the EU, the Basel Committee and a whole host of other bodies in various jurisdictions. It is a necessary challenge to keep up.

Yet learning the requirements of new legislation and regulation are but one part of the story. The other part is learning how these new requirements are to be implemented and what actually constitutes best and sound practices.

Internal auditors should consistently seek out learning environments which provides them with opportunities to both update their legal and regulatory knowledge as well as learn from industry specialists and their peers.

Internal audit exists to provide the board and senior management with a reasonable assurance, not a cast iron guarantee. In order to provide that reasonable assurance it needs to now take a major step forward.

Jonathan Ledwidge is Director of Risk & Internal Audit at Risk Reward Limited, an author and thought leader on issues surrounding change and transformation within banking. He is the author of the book Clearing The Bull, The Financial Crisis And Why Banks Need A Human Transformation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s