According to a new report by the Chartered Institute of Internal Auditors (IIA), leading internal auditors in the financial services sector are being brought in earlier to assess whether risks are being properly evaluated in major strategic events such as product launches, major investments and mergers and acquisitions. This strengthened role for internal audit in helping boards to challenge management decisions is also being championed by the financial services regulators.
These internal auditors are seeing their sphere of influence and the value they deliver within their organisations transformed, as regulators focus ever more intensely on the management of risk, of which internal audit forms a vital part.
These are among the key findings in a research report entitled “Building Effective Internal Audit: Putting the Pieces Together” published by the IIA. The research is based on a series of interviews with Heads of Internal Audit in a variety of financial services firms, and also incorporates comments from the regulators. The interviews were designed to identify good practice following the introduction of the IIA’s new Financial Services Code last year.
Dr Ian Peters, Chief Executive of the Chartered Institute for Internal Auditors (IIA) says: “The feedback we have received is that the role of internal audit is now seen by the regulators as a key indicator of the good governance of risk.
“Leading firms appear to be stepping up accordingly, particularly since the introduction of our new Code last year. Heads of Internal Audit have been able to use this as a valuable driver for change. These examples of good practice should serve as a wake-up call for firms both in financial services and beyond.”
The IIA’s research suggests that the best internal audit teams are seeing the scope of their remit expanding and working practices changing. Leading firms are increasingly bringing internal audit in to advise on the M&A process and other significant strategic events at an early stage, in order to challenge or provide assurance on how risks are managed in key transactions before they are made. Dr Peters says: “As M&A activity picks up after the recession, internal auditors are making an essential contribution to success by helping to stress-test decisions, and ensuring that risks posed by major corporate events are being properly addressed and managed.
“Our research suggests that internal audit is moving towards taking a “risk-based” approach rather than a cycle-based one as was the norm before, and focussing on outcomes instead of processes. In the financial services sector this has accelerated since the introduction of the IIA Code. Internal auditors are now better positioned to focus on the bigger picture, taking a more active role in advising on strategic business activity, rather than getting lost in the weeds.”
Dr Peters says: “The reporting line for Internal Audit is a crucial indication of how independent the internal audit function is of the executive, and therefore how effectively it can support the board’s role in challenging management. Regulators are now more likely to consider the position and effectiveness of internal audit in their assessment of how well risks are being managed. They will want to see whether it has the access it needs to the key decision makers and whether it holds enough sway at senior levels to have a positive impact.
“The regulators are also looking at how strategic decisions are made to see whether boards, supported by internal audit, are challenging management effectively. Where the role of internal audit is not in line with the Code’s guidelines, firms will need to be prepared to explain to the regulator why they believe their approach is right for their particular circumstances.”
Dr Peters points out that although the Code and the new report were specifically drawn up to look at the role of internal audit in the financial services sector, they also have wider implications for business as a whole. “Our report has made significant headway in identifying common issues as well as examples of how firms are making internal audit work for them.
“The financial sector is not the only one to suffer from major scandals in recent years, and the good practices being introduced as a result of the IIA’s Code can help strengthen governance and risk management elsewhere, such as in the public sector, health, manufacturing and retail. Many of the lessons learned and the good practice currently being developed in financial services around engagement and support, as well as independence and objectivity, will be equally applicable and valuable in a general business context.”