some default text...

Banking StandardsWritten evidence from the Chartered Institute of Internal Auditors

Summary of Key Points

Given the lack of the appropriate culture at the top of some institutions internal audit was not well placed to ensure that the governance of the organisation was effective and that appropriate behaviours were adopted.

If internal audit had been able to play its full and proper role in risk management in affected institutions, warning bells might have been sounded earlier and action to avoid or mitigate some of the worst effects of the crisis on consumers and the economy as a whole could have been taken.

In light of the perceived weaknesses in internal audit’s response before and during the crisis the Basel Committee on Banking Supervision has issued principles and guidance on the internal audit function in banks. IIA supports these.

Audit committees did not adequately understand or deliver their role and responsibilities in ensuring that the risks were being managed effectively, or were aware of the range and scope of risk.

Internal audit could be a more effective source of assurance to the board. IIA believes that the role of internal audit should be strengthened and, to this end, should feature more prominently in regulation and guidance. The FRC’s Code of Corporate Governance and the supporting Guidance for Audit Committees need to be updated and brought into line with international best practice.

Positive whistleblowing policies must be a key element in establishing the right tone and culture throughout an organisation.

Professional internal audit standards in the UK are not defective.

The Chartered Institute of Internal Auditors

1. Established in the UK and Ireland in 1948, the Chartered Institute of Internal Auditors (IIA) has over 8,000 members. It is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland. We are part of a global network of 170,000 members in 175 countries.

2. Members of the IIA work in all sectors of the economy: private business (including most FTSE 100 organisations), government departments, utilities, voluntary sector organisations, local authorities, and public service organisations such as the National Health Service. All members work to the same global International Standards and Code of Ethics, which are part of a globally agreed International Professional Practices Framework and have been recognised in the Financial Reporting Council’s Guidance for Audit Committees and adopted in UK central government’s Government Internal Audit Standards and in the internal audit standards for the NHS.

3. The IIA offers a postgraduate level professional qualification in two stages, leading to the designation “CMIIA” (Chartered Internal Auditor), with an ongoing requirement for professional development and adherence to professional standards.

What is internal audit?

4. All organisations face risks in everything they do. It is the role of senior management and the board to put in place frameworks and processes to manage all types of risks and to monitor how successful they are at managing them. Internal audit provides assurance to the board on the effectiveness of these frameworks and processes.

5. To perform their role effectively, internal auditors must build strong relationships with line managers, audit committee chairs and members, chief executives and board chairmen. These relationships enable the internal auditor to champion effective risk management, challenge those responsible for it on its success and use their knowledge of the business and the management of risk to act as a catalyst for improvement in an organisation’s risk management practices.

6. Internal audit is a function that belongs to the organisation and sits within the governance structure; but it must be independent of the areas it evaluates and internal auditors must be free from undue influence from management, or indeed, anyone else, so that their judgments can be as objective as possible. To help safeguard their objectivity and independence, the head of internal audit should report directly to the audit committee.

7. Internal audit is essential to the long term success of an organisation. This is because, alongside non executive directors, executive management and external audit, internal audit is one of the four cornerstones of good corporate governance. Without it, the board would lack information and insight into how well the people within the organisation are managing their risks.

Three lines of defence

8. The three lines of defence model has been increasingly applied to corporate governance, and particularly risk management, over recent years. The IIA finds it useful to help demonstrate the different roles in governance and the interplay between them.

9. The IIA believes that risk management is an essential part of management. The first line of defence is formed by line managers and staff who own the risks that they take every day.

10. In larger organisations, there are specialist risk management, control and compliance functions which support this work. They form the second line of defence. They facilitate risk management activities, advise line managers and help ensure consistency of definitions and measurement of risk.

11. Internal audit provides the third line of defence. It is part of the governance process but sits outside of the risk management process. Internal audit regularly evaluates the effectiveness of each element of the risk management process and of the process overall, ie the performance of the first and second lines of defence. Internal audit may (and indeed should) use the outputs of risk management activity in forming its conclusions.

Responses to the Commission’s Questions Relating to Internal Audit

1. To what extent are professional standards in UK banking absent or defective? How does this compare to (a) other leading markets (b) other professions and (c) the historic experience of the UK and its place in global markets?

IIA believes that, as for all listed companies in the UK, internal audit in the banking sector needs to be carried out by professionally qualified staff from an appropriate range of backgrounds in order to ensure that the information and analysis required by the board, and in particular the audit committee, is sufficient to meet both the internal control and risk management needs of the organisation. Professional standards in the UK are not defective. IIA members adhere to a global set of standards prepared by IIA Global, representing over 175,000 members worldwide. However it is widely documented that internal audit focused too heavily on internal processes and controls prior to the banking crisis, and it could be argued that boards and their audit committees, had they been focusing more on strategic level risks to their organisations, could have strengthened internal audit by supplementing specific internal audit skills with other specialist competences.

In light of the perceived weaknesses in internal audit’s response before and during the crisis the Basel Committee on Banking Supervision has issued principles and guidance on the internal audit function in banks. IIA supports these.

In the UK, at the invitation of the FSA and with their participation as observers, the IIA is currently undertaking an exercise to draft new guidance on internal audit for the financial services sector. We should have concrete proposals by March 2013 and hope that the PRA and FCA will support them across the financial services sector, but in particular in the systemically important financial institutions (SIFIs).

2. What have been the consequences of the above for (a) consumers, both retail and wholesale, and (b) the economy as a whole?

If internal audit had been able to play its full and proper role in risk management in affected institutions, it is conceivable that warning bells would have been sounded earlier and action to avoid or mitigate some of the worst effects of the crisis on consumers and the economy as a whole could have been taken.

3. What have been the consequences of any problems identified in question 1 for public trust in, and expectations of, the banking sector?

Public trust in the banking sector has been undermined by the high risk strategies run by many institutions, which ultimately caused their downfall. Effective internal audit regimes would at least have raised questions about the appropriateness of the risk profiles of those institutions, although we recognise that warnings may not necessarily have been heeded given the expectations, common culture and herd instinct of the sector as a whole.

4. What caused any problems in banking standards identified in question 1? The Commission requests that respondents consider (a) the following general themes:

the culture of banking, including the incentivisation of risk-taking;

IIA believes that remuneration packages encouraged staff, from the trading floor up to senior executives, to take short term views on risk that benefited themselves, rather than long term views on the good of the organisation and its shareholders. Very few within the executive management and boards had sufficient knowledge or understanding of the features and risks of complex financial instruments. It is questionable whether audit committees adequately understood or delivered their role and responsibilities in ensuring that the risks were being managed effectively, or were aware of the range and scope of risk. Given the lack of the appropriate culture at the top of some institutions internal audit was not well placed to ensure that the governance of the organisation was effective and that appropriate behaviours were adopted.

the impact of globalisation on standards and culture;

global regulatory arbitrage;

the impact of financial innovation on standards and culture;

the impact of technological developments on standards and culture; and

corporate structure, including the relationship between retail and investment banking;

The merger of retail and investment banking made it more difficult to construct a single risk management structure that could be effectively overseen by internal audit. If these activities had been separate, the audit of these two very different risk profiles might have been more effectively carried out.

the level and effectiveness of competition in both retail and wholesale markets, domestically and internationally, and its effects;

taxation, including the differences in treatment of debt and equity; and

other themes not included above;

and (b) weaknesses in the following somewhat more specific areas:

the role of shareholders, and particularly institutional shareholders;

creditor discipline and incentives; and

corporate governance, including

the role of non-executive directors;

the compliance function;

internal audit and controls; and

remuneration incentives at all levels.

Internal audit should provide assurance to the board—and to the audit committee in particular—on the identification, management and mitigation of risk. In the case of the financial crisis it is clear that internal audit was part of the structure in banks and insurance companies that went wrong. Particularly important was that internal audit and audit committees tended to be focused on process and internal controls within the organisation, and were not looking at the wider strategic risk picture. However, while internal audit must strive for independence and objectivity, it does not operate in a vacuum. The internal audit function must be free to challenge and empowered to look into all parts of an organisation’s operations, not shying away from particular areas. Internal auditors are commissioned by the audit committee to support its oversight functions. Internal auditors should show initiative raising issues themselves providing additional information and analysis. But if they in turn do not receive the necessary support from the audit committee and its chair their effectiveness in key areas can be fatally undermined. The audit committee and Chair must recognise the critical importance of maintaining internal audit’s objectivity and independence and that, if they do not do so, it is very difficult for internal audit to play an effective role in providing assurance and in producing the information and input that is required.

recruitment and retention; and

arrangements for whistle-blowing;

It is clear that positive whistleblowing policies must be a key element in establishing the right tone and culture throughout an organisation. Internal audit plays a central role in this, eg as a first point of contact for whistleblowers, as an instrument to deal with information given by whistleblowers to the board, its chair, or its audit committee, or as a whistleblower itself. It is not clear whether the whistleblowing arrangements themselves were inadequate in the run-up to the financial crisis or whether warning voices were drowned out because the prevailing culture, led from the top, did not support questioning the overall risk strategy.

external audit and accounting standards;

the regulatory and supervisory approach, culture and accountability;

the corporate legal framework and general criminal law; and

other areas not included above.

5. What can and should be done to address any weaknesses identified? To what extent are such weaknesses subject to remedial corporate, regulatory or legislative action, domestically or internationally?

Internal audit could be a more effective source of assurance to the board. It has a strategic value which could be better harnessed. For example:

In helping the board to develop a greater awareness about the changing nature of risks and their potential impacts, and in challenging current assumptions.

In helping to create the right culture and behaviours within the board and throughout the organisation towards the management of risk.

In promoting a clearer and more forward looking perspective in the board and senior management on the need for more effective risk management in the achievement of strategic objectives.

The independence and objectivity of internal audit should be enhanced and preserved by ensuring that they are not undermined by the functional and administrative reporting arrangements. The Basel Committee on Banking Supervision’s principles for internal audit (June 2012) recommend that “The bank’s internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignments with objectivity.”

On administrative reporting, there has to be some link into the organisation and this should be with the most senior manager in the organisation. However the audit committee should be responsible for

the appointment of the head of external audit;

the determination of the work programme of internal audit;

the determination of the objectives of the head of internal audit;

the appraisal of the head of the internal audit’s performance against those objectives; and

the remuneration of the head of internal audit, ensuring that it is arrived at on a different basis from other members of the management team, and not linked to short term financial performance. The Basel Committee recommends that remuneration “should be structured to avoid creating conflicts of interest and compromising independence and objectivity.”

The internal audit team must have sufficient expertise to perform its role effectively, and it is the responsibility of the head of internal audit to acquire human resources with sufficient qualifications and skills to audit to the required level. This does not necessarily mean that all internal auditors must be qualified with the IIA’s.

Qualifications, although we would argue that it is necessary for the head of internal audit and a significant proportion of his/her staff to be appropriately qualified. However internal audit teams are likely to need external expertise in order to give the right mix of skills and ensure there is full understanding of the risks that are being managed. This could be bought in from outside or through rotating staff from elsewhere in the organisation. The Basel Committee guidelines recommend that a bank’s external auditors should not be used to provide internal audit functions. Where outsourcing arrangements are in place the head of internal audit should maintain oversight and ensure that the use of experts does not compromise the independence and objectivity of the internal audit function.

6. Are the changes already proposed by (a) the Government, (b) regulators and (c) the industry sufficient? Respondents may wish to refer to the Financial Services Bill and the Government’s proposals for the Banking Reform Bill. They may also wish to refer to proposals by the Bank of England and the Financial Services Authority on how the Financial Policy Committee, Prudential Regulation Authority and Financial Conduct Authority will operate in practice.

IIA believes that the role of internal audit should be strengthened and, to this end, should feature more prominently in regulation and guidance. We recognise that companies should be given flexibility to establish their internal audit arrangements according to their size and circumstances. But given the specific terms of the OECD Corporate Governance Guidelines on where internal audit should sit in an organisation, the IIA International Standards stating that the head of internal audit should have “direct and unrestricted access to senior management and the Board”, and “organizational independence” where he/she “reports functionally to the Board”, and the Basel Commission’s Principle that internal audit be “independent of the audited activities”, IIA believes the FRC’s Code of Corporate Governance and the supporting Guidance for Audit Committees need to be updated and brought into line.

Currently the FRC UK Corporate Governance Code does not adequately promote internal audit’s independent and objective support to the Board on risk management and internal control issues. We believe the FRC should strengthen the Code by specifying that internal audit functions should be directly accountable to the Board, where appropriate through an audit committee. While the FRC’s Guidance on Audit Committees is more specific about the relationship between internal audit and the audit committee, some of the recommendations there need to be brought into the Code itself. In particular the Code should specify that the board has ultimate responsibility for resourcing and tasking internal audit and the appointment, remuneration and functional management of the head of internal audit.

The FRC Guidance on Audit Committees should also specify that the audit committee should ensure that internal audit’s standing and authority in the organisation is commensurate with preserving its independence and objectivity. This could include specific guidance on functional and administrative reporting lines.

In contrast, the requirements in the public sector are much clearer. The Code of Good Practice for Corporate Governance in central government departments and similar guidance for local authorities are clear that “the board should ensure that effective arrangements are in place to provide assurance on risk management, governance and internal control. In this respect, the board should be independently advised by: … an internal audit service operating in accordance with Government Internal Audit Standards”.

7. What other matters should the Commission take into account?

At the invitation of the FSA, and with their participation as observers, the IIA is currently undertaking an exercise to draft new guidance on internal audit for the financial services sector. We should have concrete proposals by March 2013 and hope that the FSA/FCA will consider how they should be implemented.

27 September 2012

Prepared 19th June 2013