internal audit -risk reward funtion

8/4/2019 Internal Audit -Risk Reward Funtion.

http://slidepdf.com/reader/full/internal-audit-risk-reward-funtion 1/5

risk update Q 1

– 2 0 1 0

The quarterly independent risk review for banks and financial institutions worldwide

Risk Reward

© Risk Reward Ltd UK. All rights reserved. Available by subscription only – not for sale or resale

NewStandardsfor Risk

Management

Also in this issue

■ THE BANANA SKINSREPORT 2010

■ ARE BANKS BUILDINGUP A DEADLYPORTFOLIO OFUNDERPERFORMINGLOANS?

■ MODERNISING THEINTERNAL AUDITFUNCTION

■ RISK BASEDCORPORATEGOVERNANCE – THE

NEW BIS PROPOSALS■ TRADE FINANCE –

LOWER THE RISK ANDINCREASE THE REWARD!

■ ISLAMIC FINANCE: ANINTRODUCTION – PART 3

■ PROJECT MANAGEMENTISSUES SPECIFIC TOIMPLEMENTING BASEL II

■ THE INTERSECTION – WHERE RISK, VALUEAND REWARD LINK



In 1998, when the Basel Committee issued its paper titled“Framework for Internal Control Systems in BankingOrganisations” the role of the audit function was for the firsttime given formal recognition. Principle 11 states:

“There should be an effective and comprehensive internalaudit of the internal control system carried out byoperationally independent, appropriately trained andcompetent staff. The internal audit function, as part of themonitoring of the systems of internal control, should reportdirectly to the board of directors, or its audit committeeand to senior management.”

It also emphasised, in principle 4 of the same paper, thatinternal control systems will be deemed ineffective if they donot consider and recognise material risks in their design.Thus, for the first time risk assessment was formally linked tosound systems of internal controls. Although someinstitutions were already practicing risk based auditing, it wasnot until this paper was issued that it got official recognition.

Recently, the Basel II Accord has reaffirmed these principlesby stipulating that internal audit would have to capture in alarger way the application and effectiveness of risk

management procedures and risk assessment methodologyand critical evaluation of the adequacy and effectiveness of the internal control systems.

Basel II talks about risk based auditing in the context of management of operational and credit risk only, however, ithas specific relevance to banks operating in emergingmarkets that are in the process of, or considering,implementing the accord. Whilst here in the UK we havehad more than 10 years to practice risk based auditing, banksoperating in emerging markets have now been forced to playcatch up.

While the concept is straightforward, the application of arisk-based audit approach has taken many forms, from a once

a year simple assessment of risk based on criteria defined byinternal audit, or the board where these are available, to amuch more complex model based approach where auditpriorities and frequencies are reviewed and changed morefrequently after considering the internal risk matrices of thebank. The choice depends upon the sophistication and riskmaturity of the bank, capability of its audit team and the wayin which the host regulators have translated these principlesinto their rule books.

Given the variety of risk-based forms available, for banksoperating in the emerging markets, it is not a simple matter of

just adopting a standard approach to risk-based audit as inpractice there is no such thing. So what should a bank do

when faced with modernising, or indeed establishing a new,

audit function and what are the common traps that canendanger or derail its plans? It is perhaps best to discuss thisquestion in the light of the UK experience. Why UK?Because perhaps the UK regulator has been the mostadvanced and successful regulator in the world in raising theprofile and encouraging the firms under its supervision to takeinternal audit seriously.

MODERNISING THEINTERNAL AUDITFUNCTIONTariq Khan, B.Com, FCA, PIOR, is the newly appointed Head of Risk Based Internal Audit at Risk Reward Ltd. As head of internal audit at a leading international Japanese investment bank he set up a cutting edge risk based audit function and played a pivotal role in the establishing of the Audit Committee along Turnbull guidelines. In this first in a series of articles on thechanging role and the impact of bank internal audit he describes the BaselCommittee guidance to this changing and critical function within a regulated bank.

Risk Update 2010 – Q1

2



Regulatory expectationThe interest in the audit function

within the senior executive ranks hasmostly been motivated by regulatoryconcern, which in itself is inextricablylinked to external events such as a bankfailure. In the UK, this interest began

with the introduction of the new Banking Act of 1987. Section 39 (s39)of this Act gave the Bank of England(BoE), predecessor regulator to theFinancial Services Authority (FSA), thepowers to obtain an “Accountant’sReport” on the whole or part of theoperations of the bank. This power was

used extensively by the BoE providinga bonanza for the “big 6” accountancyfirms of the time. These Accountants’Reports tended to provide detailedanalysis of the operations of the bankand in so doing uncovered many

weaknesses in the control systems, which naturally led torecommendations for theestablishment, or modernisation, of audit departments. It could be arguedtherefore that the credit for elevatingthe status of internal audit should reallyfirst go to the reporting accountants.

Since 1987 the role of internal audit hasgradually gained more recognition inregulatory circles. But as mentionedabove, it was the Basel paper in 1998that propelled the audit function intothe limelight. The successor supervisorybody of the BoE, the FSA adoptedthese principles in its rulebook andunder the heading of “CorporateGovernance” set about transformingboardrooms and the audit function.Part of this emphasis on internalaudit was related to costs. It wasrecognised, mostly from theexperience of s39 reports, that

supervision on the scale beingenvisaged would be veryexpensive. Their solution wasallowing the banks, as long asthey behaved, akind of

limited “self regulation” in whichinternal audit and compliance functions

were at the forefront.

The FSA now expects to be able to relyon the internal audit function as a“third line of defence” and in exchangeit promises reduced supervisoryenquiries and visits, which anyone whohas gone through one of these knows

very well can soak up immensemanagement time and resources. So itis clearly in the interests of the FSAregulated firms to demonstrate thatthey have a strong robust internal audit

function. Conversely, failures in internalaudit will invariably lead to questionsabout its corporate governance which

would in turn affect the credibility of the bank as a whole. It could also provecostly if the FSA demands a s166report which is the successor to the s39report mentioned previously. As a lastresort, the FSA is also quite preparedto slap additional capital charges wherethey find that management have nottaken serious steps to enhance andsupport the audit function.

The establishment, or extent of

modernisation, of an audit function inemerging markets will clearly dependupon the way in which the hostregulators will translate, or already have

translated, the Basel principles into itsrulebook. This in turn also dependsupon the ambitions of the authorities ineach jurisdiction to modernise itsfinancial industry and its eagerness togain international recognition as a centreof finance. The regime for penalties andpunishments in each regulatory

jurisdiction will also be a powerful factorfor a bank in its approach to corporategovernance and internal audit.

Supporting the audit function Without any shadow of doubt, thesuccess of the audit function depends

upon the support executivemanagement are willing to give to it. Asdemonstrated above, in the UK, seniorexecutives interest in the audit functionhas mostly been motivated byregulatory concern. It is very rare tofind an enlightened bank executive thatfully understands the value of internalaudit and of his own volition is preparedto invest, nurture and support it. But

without this support internal auditcannot function properly. Frustration

will set in quickly and most goodpeople will simply head for the door.High turnover in an audit department is

always an indication that something isamiss and it won’t be long before theregulator will start asking questions.

In the UK, the common mistake of management was to absolve themselvesof any further responsibility beyondappointing the chief auditor and

perhaps sometimes other senior auditstaff. Being audited, particularly withfocus on risk, can be a traumaticexperience for an organisation notused to having to respond tocriticism. For this reason, anyeffort to extend the audit

function beyond its previousnarrow remit is normally met with resistance from the line.




The involvement of the CEO in anymodernisation programme is thereforea must if it is to succeed. Indeed, in theUK it is in his/her self-interest toensure that it does. It is common tofind that failings in corporategovernance and internal audit havenormally been blamed on seniormanagement, especially the CEO, to

whom the regulators invariably turn tofor fixing the problems.

Support from the CEO, and his/herteam, for the internal audit function hasto be continuous and persistent. It is

important to communicate regularstatements of support for the auditfunction to senior and line managers.Meeting the head of audit and othermembers of the team on a regular basisto monitor their progress is importantin ensuring that everyone in theorganisation knows that the function isbeing fully supported at the top.

Audit CommitteesThe notion that internal audit shouldreport to an audit committee is not new in the UK. Historically, the focus onAudit Committees came from the

Combined Code on CorporateGovernance, which has existed in various guises since 1992. Althoughmany large commercial banks hadfunctioning Audit Committees, theirrelationship with Internal Audit wassuperficial. It was not uncommon tofind internal audit chiefs allocated only15 minutes in audit committeemeetings. In sharp contrast with theirpeers in other non-financial sectors, thebanks executives did not pay muchattention to the Combined Code untilthe new UK regulator, the FSAadopted the Basel paper in 1998.

Nowadays, it is widely recognised thatno modernisation of internal audit canbe complete without a properlyfunctioning Audit Committee. Evenforeign branches and subsidiariesoperating within the UK tend to formsome semblance of an audit committee.

In the UK, the FSA insist that not onlyan audit committee be formed but itmust also comprise a majority of independent non-executive directors(NED’s) and also that it be chaired byan independent NED, who should also

meet with the chief auditor on a regularbasis. The chair is also often requiredby the regulators to meet each seniorauditor separately to gauge his or hercompetence and report back to theCommittee.

Ideally the Chief Auditor should report

directly to the Chair of the AuditCommittee. According to the newlyappointed Chair of an AuditCommittee for a major bank in the UK:“how else can I assure myself of theindependence of the audit function?”The same Chair also insisted on beingthe budget holder for the function andhad full responsibility for staffingmatters.

In practice, however, the chief auditortends to have a reporting line to theCEO for pay and rations and otherstaffing matters and a dotted line to the

chair of the audit committee formatters of governance. Both the CEOand the chief auditor have to tread acareful line though as the effectivenessof the Audit Committee and itsrelationship with the internal auditfunction can often be compromised.

Executive directors not used to working with Audit Committees canoften exert undue influence by insistingthat all communication betweeninternal audit and the chair of the auditcommittee go through them first, thuseffectively controlling the flow of

information to the Committee. Thiscan also adversely affect therelationship between the chief auditorand the Chair and also the chief auditorand the CEO. Because of thedependence of regulators on internalaudit, they tend to talk to auditorsduring almost all of their visits and it isonly a matter of time before they startexamining this area.

One way of avoiding anyundue influence frommanagement on therelationship between

internal audit and theaudit committee is tostate as a matter of policy that the chief auditor and the chairof the auditcommittee shall haveunfettered access toeach other at alltimes.

Appointment of senior auditpersonnel

Without doubt, the appointment of thechief auditor is a first and verysignificant step in the modernisation of the audit function. The chief auditor isthe face of the internal audit function,he will make an immediate impressionon how the whole function is perceivedby others inside, and equally outside,the business. The chief executive needsto take a personal interest in theselection process. Whilst suitablequalifications and experience are alwaysimportant, temperament and cultural fit

are equally significant. You don’t needto end up with someone who will upseteveryone in the organisation butequally you also don’t want someone

who is unable to hold his own in aconfrontation and failing to protect the

wider interests of the bank.


4



Managing the inspectiondepartmentIn many larger banks in the UK, audithad sort of existed in the form of Inspections for decades before.Contrary to being regarded as abackwater, positions in inspectiondepartments were highly sought after.Branch managers, and their ableassistants who themselves were beingfast tracked to management positions,saw a stint in the inspectiondepartment as a necessary prerequisiteinto more senior roles at the headoffice. Inspectors also tended to be

typically long serving members of thestaff, with informal networks and closepersonal relationships around the bank.

Creation of a new audit departmentresourced by outsiders on probablyhigher salaries than inspectors,inevitably caused friction. This was alsoa time of industry restructuring andupheavals brought about byderegulation, which made an alreadyfractious situation volatile especially asthe line positions that the inspectors

were looking to walk into suddenlystarted to disappear.

The UK experience shows that thecapacity of long serving members of the function to disrupt themodernisation process and allow it tosettle properly and embed in theorganisation should not beunderestimated. Little things can irktheir wrath with disastrousconsequences. For example, at onebank some inspectors successfullypersuaded the executive responsible foraudit and inspection to have the newlycreated audit function “inspected”. Ittranspired later that their main

motivation behind this manoeuvre wasanything but altruistic. Apparently, theinspectors were the same grades asaudit managers. They felt very stronglythat if they cannot have offices of theirown, neither should the managers inaudit. This personal agenda eventuallyled to a wholesale reorganisation of the

audit function. After that therelationship between the two functionsnever truly recovered. The resultinginfighting eventually led to thereplacement of the audit and inspectionexecutive but by that time the damagehad already been done.

Managing the disruptive elements of the inspection department, or anexisting audit department, should behigh on the agenda of the chief executive and should not be left to thehead of the respective functions to sortit out between themselves.

Laying the boundariesModernising the internal audit functionis likely to expand the scope of internalaudit work into areas that until now havenot been subjected to such anexamination. To avoid confusion, it isimportant that there are clearboundaries within which internal audit isto operate. The setting of theseboundaries is the responsibility of theboard, or its audit committee, which itnormally discharges by giving a mandateto the internal audit function, naturallyin consultation with the chief auditor. In

fact, good corporate governancenecessitates that mandates are similarlyawarded to risk, compliance and othergovernance functions as well.

To be effective the terms of referenceshould be clear and unambiguous. It iscommon these days, probably inspiredby the new definition from the Instituteof Internal Auditors (IIA), to seephrases such as assurance, consultingactivity, add value, etc. creep into auditmandates. Phrases like these tend toobfuscate rather than provide ameaningful understanding in clear and

unambiguous terms of what internalaudit is all about and crucially what isexpected of it1.

However, it must be stressed that ininternal audit matters, the regulators inthe UK are influenced by the IIA andexpect the internal audit function to at

least provide some ad hoc consulting work which they often call consultancyor value added work. Besidesundermining normal internal audit workby implying that it does not add value,these are also misleading terms.Typically many internal audit functionsreserves 20-25% for special work suchas for fraud or other incidentinvestigations, new systemdevelopment projects and other adviceon internal control matters thatinevitably get sought by line from timeto time. All of this work is perfectlylegitimate for internal audit to get

involved with as long it does notcompromise its objectivity andindependence. The only differencehere is that this work tends to be adhoc one off assignments specificallyrequested by management as opposedto the majority of the recurring workthat is determined by a risk assessmentprocess.

Management should also be careful notto succumb to demands from their linemanagers to get internal audit to do

work which essentially is theresponsibility of the line. The most

common requests tend to be for draftingof policies and procedures. Asking themto review already written policies andprocedures is of course a reasonablerequest and should be considered underinternal audit’s special work.

Finally, it must be recognised that themodernisation process can take some

years before it can be properlyestablished and embedded into theorganisation. During this time a lot of changes can occur in the regulatory,economic and business environment,

which will involve re-evaluating the

governance framework and thestructure of the internal audit function.Keeping apace with new developmentsnot only keeps the regulators sweet butalso ensures that the best talent isattracted to the function.


5

1 I prefer a more traditional definition such as “To provide an independent opinion by an objective assessment and evaluation of the systems of internal controls, designed, installed and operated by management, and to report to management on theiradequacy and effectiveness”.

Dennis Cox – CEOtelephone: +44 (0)20 7638 5558email: [email protected]

Lisette Mermod – New Yorktelephone: 1-914-619-5410email: [email protected]

Tariq Khantelephone: +44 (0)20 7638 5558email: [email protected]

For further information please contact:

internal audit -risk reward funtion

Documents