The Basel Committee on Banking Supervision has updated its guidance for Supervisors for assessing the adequacy of the internal audit function in banks. Earlier this year, I commented on the draft, and the IIA provided comments in a letter to the Committee.
The final product is better and is a useful read for boards and internal audit practitioners regardless of industry. While it lays out guidance for banking supervisors and examiners, there is no reason it can be referenced by those responsible for governance or execution of the internal audit function.
The guidance has 20 principles, for each of which it has extended and useful discussion. Of the 20, 5 relate to supervisor action and are not discussed further here.
Here are their principles and key points, with a few comments (shown as ‘ndm note’) on areas of interest and potential controversy – such as recommendations not to outsource the function (principles 8 and 15, together) or pay internal auditors based on organizational performance (part of principle 2).
Principle 1: An effective internal audit function provides independent assurance to the board of directors and senior management on the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation.
The internal audit function should develop an independent and informed view of the risks faced by the bank based on their access to all bank records and data, their enquiries, and their professional competence. The internal audit function should be able to discuss their views, findings and conclusions directly with the audit committee and the board of directors, thereby helping the board to oversee senior management.
Principle 2: The bank’s internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignments with objectivity.
The internal audit function must be able to perform its assignments on its own initiative in all areas and functions of the bank. It must be free to report its findings and assessments internally through clear reporting lines.
The internal audit function should not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the internal audit function should not prevent senior management from requesting input from internal audit on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls should remain the responsibility of management.
Continuously performing similar tasks or routine jobs may negatively affect an individual internal auditor’s capacity for critical judgement because of possible loss of objectivity. It is therefore a sound practice, whenever practicable and without jeopardising competence and expertise, to periodically rotate internal audit staff within the internal audit function.
ndm note: This is a debatable point.
The independence and objectivity of the internal audit function may be undermined if the internal audit staff’s remuneration is linked to the financial performance of the business lines for which they exercise internal audit responsibilities.
ndm note: This would apparently bar bonuses or raises based on corporate performance.
Principle 3: Professional competence, including the knowledge and experience of each internal auditor and of internal auditors collectively, is essential to the effectiveness of the bank’s internal audit function.
Principle 4: Internal auditors must act with integrity.
Principle 5: Each bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank in a manner that promotes an effective internal audit function as described in Principle 1.
Principle 6: Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.
The scope of internal audit activities should include the examination and evaluation of the effectiveness of the internal control, risk management and governance systems and processes of the entire bank, including the organisation’s outsourced activities and its subsidiaries and branches.
The internal audit function should independently evaluate the:
- Effectiveness and efficiency of internal control, risk management and governance systems in the context of both current and potential future risks;
- Reliability, effectiveness and integrity of management information systems and processes (including relevance, accuracy, completeness, availability, confidentiality and comprehensiveness of data);
- Monitoring of compliance with laws and regulations, including any requirements from supervisors (see the following sub-section for more details); and
- Safeguarding of assets.
ndm note: I like the phrase at the end of the first bullet: “in the context of both current and potential future risks”.
The [audit] plan should be based on a robust risk assessment (including input from senior management and the board) and should be updated at least annually (or more frequently to enable an ongoing real-time assessment of where significant risks lie). The board’s approval of the audit plan implies that an appropriate budget will be available to support the internal audit function’s activities. The budget should be sufficiently flexible to adapt to variations in the internal audit plan in response to changes in the bank’s risk profile.
Principle 7: The scope of the internal audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan.
A bank’s risk management processes support and reflect its adherence to regulatory provisions and safe and sound banking practices. Therefore, internal audit should include in its scope the following aspects of risk management:
- the organisation and mandates of the risk management function including market, credit, liquidity, interest rate, operational, and legal risks;
- evaluation of risk appetite, escalation and reporting of issues and decisions taken by the risk management function;
- the adequacy of risk management systems and processes for identifying, measuring, assessing, controlling, responding to, and reporting on all the risks resulting from the bank’s activities;
- the integrity of the risk management information systems, including the accuracy, reliability and completeness of the data used; and
- the approval and maintenance of risk models including verification of the consistency, timeliness, independence and reliability of data sources used in such models.
When the risk management function has not informed the board of directors about the existence of a significant divergence of views between senior management and the risk management function regarding the level of risk faced by the bank, the head of internal audit should inform the board about this divergence.
ndm note: This last imposes an interesting duty on internal audit to represent the risk management function.
Internal audit should also include in its scope (the list is not intended to be exhaustive):
- The organisation and mandate of the finance function;
- The adequacy and integrity of underlying financial data and finance systems and processes for completely identifying, capturing, measuring and reporting key data such as profit or loss, valuations of financial instruments and impairment allowances;
- The approval and maintenance of pricing models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;
- Controls in place to prevent and detect trading irregularities;
- Balance sheet controls including key reconciliations performed and actions taken (e.g. adjustments).
ndm note: Internal audit functions at banks will have to work with the supervisors/examiners with respect to reliance on a separate SOX compliance/testing function.
Principle 8: Each bank should have a permanent internal audit function, which should be structured consistent with Principle 14 when the bank is within a banking group or holding company.
Internal audit activities should normally be conducted by the bank’s own internal audit staff. When internal audit activities are partially or fully outsourced, the board of directors remains ultimately responsible for these activities and for maintaining an internal audit function within the bank. Outsourcing of internal audit activities is further addressed in principle 15 and related paragraphs.
Principle 9: The bank’s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control system and, accordingly, the board should support the internal audit function in discharging its duties effectively.
At least once a year, the board of directors should review the effectiveness and efficiency of the internal control system based, in part, on information provided by the internal audit function. Moreover, as part of their oversight responsibilities, the board of directors should review the performance of the internal audit function. From time to time, the board of directors should consider commissioning an independent external quality assurance review of the internal audit function.
It is an established practice for senior management to report to the board of directors on the scope and performance of the internal control framework.
Senior management should inform the internal audit function of new developments, initiatives, projects, products and operational changes and ensure that all associated risks, known and anticipated, are identified and communicated at an early stage.
Senior management should ensure that the head of internal audit has the necessary resources, financial and otherwise, available to carry out his or her duties commensurate with the annual internal audit plan, scope and budget approved by the audit committee.
Principle 10: The audit committee, or its equivalent, should oversee the bank’s internal audit function.
Principle 11: The head of the internal audit department should be responsible for ensuring that the department complieswith sound internal auditing standards and with a relevant code of ethics.
Principle 12: The internal audit function should be accountable to the board, or its audit committee, on all matters related to the performance of its mandate as described in the internal audit charter.
Principle 13: The internal audit function should independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes created by the business units and support functions and provide assurance on these systems and processes.
Principle 14: To facilitate a consistent approach to internal audit across all the banks within a banking organisation, the board of directors of each bank within a banking group or holding company structure should ensure that either:
- the bank has its own internal audit function, which should be accountable to the bank’s board and should report to the banking group or holding company’s head of internal audit; or
- the banking group or holding company’s internal audit function performs internal audit activities of sufficient scope at the bank to enable the board to satisfy its fiduciary and legal responsibilities.
Principle 15: Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for the internal audit function.
It is recommended that large banks and internationally active banks perform internal audit activities using their own staff. However, outsourcing of internal audit activities, but not the function, on a limited and targeted basis can bring benefits to banks such as access to specialised expertise and knowledge for an internal audit engagement where the expertise is not available within the internal audit function. Outsourcing could also alleviate temporary resourcing constraints which might otherwise jeopardise the execution of the audit plan.
As a sound practice, banks should not outsource internal audit activities to their own external audit firm.
I welcome your comments and views. What do you think of this guidance and how useful will it be to you in your practice?