Effective Internal Audit

in Financial Services

(the FS Code) David Alexander, MD, Daart Solutions & CIIA EQA Panel Member

Contact: daa.risk@gmail.com 07584 092411

Today’s Programme

1. Why the FS Code and what was the impact?

2. Regulator’s perspective

3. Key findings of the 2017 review:

• what has gone well

• what has changed

4. CIIA’s "call to action“ for guidance

5. Some continuing challenges faced by IA teams

6. YOUR experiences/observations

FS Code’s Journey • Financial crisis

• 1st line …. 2nd Line …. Andrew Bailey (FSA) 2011

“I don’t believe that we are in the right place today in terms of the

role and influence of these risks and (internal) audit functions”

• CIIA Committee (Roger Marshall 2012)

• Feb 2013 (draft) …. July 2013 (published)

• Recommended “review in 2-3 years”

• CIIA Committee (Mike Ashley) Sept 2016

• Updated Code published Sept 2017

FS Code’s Impact (2013)

• Put IA on the board (and executive) agenda

• Some concern at the regulators’ (now 2) approach

• Lack of guidance accompanying the “code”

• Changes to IA’s Role / Purpose

• Focus on:

opinions, risk, compliance & finance

Board & Exec MI

Conduct, Culture, Events

FS Code’s Impact • Raised the bar for HIAs

• Gap analyses/EQAs

• Reporting lines clarified

• Casualties

• Significant appointments

• Co-source growth

• Increase in skills and in budgets

Context from a key regulator • Stephen Brown (HIA, BofE) – IMF speech Dec 2016

• Reminder – the definition of internal auditing ….

“an independent, objective assurance and consulting

activity designed to add value and improve an

organisation's operations.”

“It helps an organisation accomplish its objectives by

bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control, and governance processes.”

Stephen Brown’s observations

Basel Committee Audit Sub-group (2012)

• “Principle 1: An effective internal audit function […]

help[s] the board and senior management protect their

organisation and its reputation

FS Code (2013)

• The primary role of Internal Audit should be to help the

Board and Executive Management to protect the

assets, reputation and sustainability of the organisation.

Global IIA (2015) “mission” (but not the definition)

• “To enhance and protect organizational value by providing risk-

based and objective assurance, advice, and insight.”

Senior Manager & Certification Regime (2016)

• HIAs at UK banks are now designated as one of a number of

“Senior Managers” who must be approved by both financial

regulators before taking up their position.

Stephen Brown’s observations

“… if we get to the point where IA functions get good at

protecting their banks, then that sounds like a useful

thing for supervisors and other authorities ….”

What has been the regulatory feedback on the FS Code:

• access to key information and attendance at key

governance forums is much improved;

• Internal Audit’s reporting lines have been adjusted to

better preserve their independence;

• resourcing (in terms of overall headcount) appears to

have increased generally across the industry.

• ………. But what about assurance v. protection?

Stephen Brown’s observations

View of the CIIA Committee (2013)

“supports this [IIA] definition but ….. emphasises that

the primary role of IA is to protect the organisation.

At the discretion of the Audit Committee, IA can perform

other roles and activities, but ……

……. not at the expense of helping the Board and

Executive Management to protect the assets,

reputation and sustainability of the organisation.”

View of the CIIA Committee (2013)

How does IA “…. help the Board and Exec Management

to protect the assets, reputation and sustainability”

• assessing whether all significant risks are identified

and appropriately reported by Management and the

Risk function to the Board and Exec Management

• assessing whether they are adequately controlled;

• challenging Exec Mgmt to improve the effectiveness of

governance, risk management and internal controls.”

Impact of the FS Code

Example Commentary on IA Planning

“to significantly improve internal audit planning to

ensure that it reflects the business model and risk profile

of the organisation, rather than what internal audit or

management are comfortable auditing.

In other words, internal auditing needs to be truly risk

based.”

Four Key Steps…

Code

Impact …

2017 Review Conclusions

• FS Code achieved all or most of its original objectives

• Has supported real improvements across the sector

• Remains highly relevant and fundamentally sound

• Modest updates – clarifications and emphasis

• Highlighted the drive for further improvement

Drive for Further Improvement • HIAs and AC Chairs to demand more from IA teams

• CIIA to produce more practical material on application

& implementation – in particular helping smaller teams

• CIIA, professional firms and FS firms to seek new

ways to promote benchmarking and sharing best

practice, building in particular on external quality

assessments (EQAs)

• Continued (increased?) support from the regulators.

More reference to the Code by supervisory teams.

Key Changes:

• report annually on whether firms are adhering to their

own risk appetite framework;

• review the action taken by the firm following any

significant adverse event, such as regulatory breaches,

including the roles of all the key actors;

• plans should be regularly reviewed to take account of

new and emerging risks;

Key Changes:

• look critically at the work of the organisation’s other

control functions, in terms not only of their processes but

also their quality; and

• play a central role in assessing the culture of the firm. It

should look not only at the ‘tone at the top’, but also at

whether behaviours right across the organisation are in

line with its stated values, ethics, risk appetite and

policies, and report on its findings.

CIIA “Call to Action” • New Product development

• Retail Credit Risk

• Risk assessment and audit planning factors

• Auditing outcomes in specialised areas (e.g. cyber)

• Actions following adverse events

• Annual assessments of governance, risk and control

• Criteria for Audit Committees to assess IA effectiveness

What about beyond financial services?

Some Continuing Challenges • Proportionality

• Aligning IA risk view with the business’ risk view

(v. independent view of risks)

• Assurance Mapping

• Data Analytics

• Quality Assurance & Improvement Programme

• Culture, Conduct, Change and Cyber

• “7 year itch”

Questions/Concerns from the breakout session

1. What is the best approach to auditing culture?

Continuously – in a range of audits. Use skilled (co-source)

assistance; but don’t fully outsource the review. Retain knowledge!

2. Is the 7 year rule a precursor to rotation?

No – but it places onus on Audit Committees to annually confirm

“independence”.

3. If the IA function has been outsourced, do you still need an EQA?

Professional firms have EQAs but each regulated FS firm technically

still requires a separate EQA (at least) every 5 years.

Questions/Concerns from the breakout session

4. What does it mean for HIAs and AC Chairs to demand more from

IA teams?

HIAs/AC Chairs tend to have absorbed much of the impact of the

Code and the related discussions. Aspects need to be cascaded

down to IA team members (e.g. strategy, gap analyses, planning)

5. When will the extra guidance appear?

Some is already on the IIA website (e.g. new product development,

retail credit risk) – look out for the rest over the next few months.