Banks stepping up risk oversight - number of senior managers responsible for internal audit rises 8% in a year

18 Sep 2017

Revised code on internal audit in UK financial services launched 1 September.

Banks and other major financial institutions are stepping up their oversight of risk by nominating more senior managers with specific responsibility for internal audit, says the Chartered Institute of Internal Auditors (The Institute).

Figures show that there has been an 8% increase, from 143 to 155, in the last year* in the number of individuals identified under the Senior Managers’ Regime (SMR) as being tasked with the oversight and managing of internal audit.**

The increase comes as the overall number of individuals allocated a prescribed responsibility under the Senior Managers’ Regime has decreased from 3,159 to 3,111.

The Institute says the rise reflects growing recognition of the importance of the role of internal audit within the financial services sector in the management of risk – both financial and non-financial.

Internal audit provides assurance that risks are being thoroughly evaluated and properly managed, and helps to prevent corporate failures and scandals. Internal auditors act as a powerful early warning system for NEDs and other senior executives, as trusted and independent advisors in the organisations they serve.

The Institute says that, by including internal audit on the list of specific roles that the FCA says financial businesses should have in place, the regulator has highlighted the importance of senior involvement and accountability. It is also a clear message of support for the internal audit function.

The Senior Managers’ Regime (SMR) makes individuals personally responsible for certain prescribed areas of their organisation’s activities. It covers those working in banks, building societies and PRA-designated investment firms.

To help strengthen further internal audit’s position within UK banks and other financial institutions, the Institute has just updated its guidance on how risk should be managed in these institutions.

The new ‘Guidance on Effective Internal Audit in Financial Services’ – widely known as the Financial Services Code – strengthens the role of internal audit in financial institutions. It also provides a benchmark against which boards and regulators can assess the effectiveness of their internal audit functions.

Key changes to the Code include new provisions that:

  • Internal audit should report annually on whether firms are adhering to their own risk appetite framework;
  • Internal audit should review the action taken by the firm following any significant adverse event, such as regulatory breaches, including the roles of all the key actors;
  • Internal audit’s plans should be regularly reviewed to take account of new and emerging risks;
  • Internal audit should look critically at the work of the organisation’s other control functions, in terms not only of their processes but also their quality; and
  • Internal audit should play a central role in assessing the culture of the firm. It should look not only at the ‘tone at the top’, but also at whether behaviours right across the organisation are in line with its stated values, ethics, risk appetite and policies, and report on its findings.

Institute Chief Executive, Dr. Ian Peters, says: “Banks and other financial institutions are upping the ante in ensuring that internal audit provides an effective line of defence against risk.”

“By raising it up the agenda at a senior level, regulators are demonstrating that they recognise the vital role internal audit plays as an independent internal watchdog. Putting it on the list of SMR-designated roles is a strong show of support.”

“Assigning personal accountability to top-tier leadership means that internal audit should be better supported in carrying out its crucial role and making sure it has a powerful voice in the boardroom.”

“The original Code made a real difference to the authority of internal audit since it was first published in 2013. This updated edition will provide an invaluable framework to help inform and strengthen the process, to ensure that organisation’s risk management controls are robust and fit-for-purpose.”

*Year to June 2017

**Includes: safeguarding the independence of the Internal Audit function within their organisations and overseeing internal audit’s performance.

-ENDS-