Internal audit has long been viewed as a key element of financial services firms’ frameworks to managing risk – the third of the three lines of defence. But now, internationally, there is new guidance that raises the bar of good performance. The Committee on Internal Audit Guidance for Financial Services in the United Kingdom has issued its recommendations for effective internal audit in the financial services sector following a year-long exercise of drafting and consultation. It is widely expected that similar recommendations will be applicable to South African financial services firms in the near future.
The guidance seeks to reposition the focus of internal audit from testing and reporting on the internal control environment, to supporting non-executive and executive management in the more effective management of key risks.
For internal auditors, the implications are that auditors could be moved from their “comfort zones” such as auditing operational processes and controls to “vaguer” areas such as governance, culture or corporate events.
Combining these recommendations with the thrust of suggestions emanating from King III, it is likely that internal auditors will also be required to take a position on assessing the ethics performance of companies.
Adding to the “discomfort curve” for South African internal auditors could be the need to take a view on the controls in place to ensure the accuracy, validity and completeness of elements of the Annual Integrated Report.
For a sector struggling to re-assert its position, it is believed that the guidance should be seen as an opportunity for internal audit functions to position themselves as trusted advisors. This new role will be accompanied by critical guidelines that will also need to be met.
Additionally, the movement of the performance bar, resources and skills within the audit function will be subject to increasing scrutiny and pressure as those involved seek to deliver on the new industry guidelines.
Preparing for change means that within the financial service sector, every internal audit function will have to conduct “self-audits” and critically assess the impact the guidelines could have on the function and, importantly, the audit plan so that appropriate organisational responses can be developed.
The question is just where the most significant impact on internal audit could be.
Some of the challenges for the new changes are discussed below.
POSITIONING INTERNAL AUDIT WITHIN THE ORGANISATION
Internal audit reporting lines should be clearly defined, and in many cases redefined as completely functionally independent. The chief internal auditor should report to the audit committee chairman, with all divisional heads of audit reporting directly to the chief internal auditor, rather than to local committees. Primary reporting lines should be within internal audit through which results are reported, objectives are set and appraisals are performed.
Secondary reporting lines should be to the CEO. This would assist in maintaining internal audit’s independence within every part of the organisation and also promote the reputation of internal audit as a key element of the governance and risk management framework. This poses a significant change to the common practice in South Africa for the head of internal audit to report administratively to the CFO or the CEO.
EMPLOYING SIGNIFICANT PROFESSIONAL JUDGEMENT
Internal audit will need to extend its reach to highly judgmental areas. The organisation’s risk and control culture, and the risk appetite should be captured in the audit universe and be subject to audit coverage. Management “tone from the top” should be considered, along with a bottom-up assessment of attitudes to control and risk management. This is in line with King III that specifically drew attention to the need for independent assurance of the ethics performance of an entity, the risk management function and the integrated report. With the exception of the audit of the risk management function, which has been a requirement for some time, the methodology for assuring matters such as ethics performance, culture and the integrated report in its entirety is still in its infancy with the identification of criteria to audit against being one of the biggest challenges. Assessment of these specific areas is not widespread practice, certainly with the rigour and consistent approach envisaged by the guidelines, and may be difficult and uncomfortable for the internal audit function.
AN OUTCOMES-BASED APPROACH
Auditing the processes and controls associated with risk is central to most internal audit methodologies. This involves shifting the focus to expressing an opinion on the outcome and may lead to less familiar territory.
Therefore, where processes and controls promote the reduction of the associated risk but the outcome suggests that the risk is not mitigated, the auditor must provide a challenge to the judgement and actions of management. The fair treatment of customers is a good example of where this will be seen in practice, with valid complaints comprising a key measure of customer outcome. An auditor’s challenge of managing judgements will therefore be core to future internal audit practices.
There is no doubt that auditing of culture and risk appetite, and gaining conclusions based on outcomes, will draw heavily on the professional judgement of auditors. Making professional judgement requires skill and experience of a high level.
Challenging senior management will require the auditor to be of a similar standing to the individuals they are challenging. It is also anticipated that the move towards staffing Financial Services Internal Audit functions with fewer, but better qualified and more experienced staff members will intensify. What will have to be considered is a move away from appointing internal auditors with a financial accounting background and expanding recruitment horizons to include mathematicians, data scientists and engineers in order to obtain a holistic view of the combination of risks faced by the organisation.
It is not certain when these recommendations will come to South Africa.
What is important to note though is that the changes to internal audit in the financial services sector are inevitable and that professionally aware internal auditors will need to prepare themselves for this eventuality.
Author: Nina le Riche