Research report: Building effective internal audit
In this report, we look at how firms in the UK financial services sector are successfully implementing the individual recommendations contained within the IIA's Financial Services Code Effective Internal Audit in the Financial Services Sector. These examples of good practice are also relevant for increasing the effectiveness of internal audit in other sectors.
In the report, produced with kind support from EY, we present the results of interviews with a number of Heads of Internal Audit (HIAs) from different parts of the financial services sector, and from different sizes of institution. We also look at how the regulators are using the Code in their supervisory work.
Download the full report (pdf)
- HIAs have used the Code as an additional driver for change in the position and role of internal audit and for increasing its effectiveness
- Getting engagement with audit committees right is crucial. But while support for introducing the right structures is important, audit committees also need to be continually engaged on issues around internal audit effectiveness.
- HIAs believe that the regulators need to engage more on how organisations are implementing the Code, offering more feedback and support.
- In response the PRA has said it is prepared to discuss exceptions, where firms believe an approach that is not in line with the Code is right for them. But it regards the Code as a benchmark.
- The FCA says it does not look to supervise firms against the requirements of the Code. Rather, it considers the effectiveness of internal audit functions, including how they engage with the board and executive as an important indicator of effective decision-making within firms, and will look to engage with internal audit where appropriate. Where the FCA considers the IA function effective it will also place reliance on the outputs of its own work when drawing conclusions, and use it to undertake reviews within firms.
HIAs who were interviewed welcomed the Code as “eminently sensible” and a “valuable driver for change”. One HIA, who had been appointed shortly before the Code was issued, used it to support an incoming reform agenda. “As a newcomer I was able to use the Code as an additional lever to change internal audit practices”. Another HIA had already been involved in raising the profile and role of internal audit across the organisation “but the Code gave it additional impetus”.
All respondents had conducted a formal gap analysis, either internal or external, of their internal audit function’s performance against the Code and the results had been discussed with audit committees. “Overall there was lots of discussion, support and acknowledgement from the audit committee – the Code has been fantastic for us as it really is a benchmark for us to measure ourselves against.”
“Our progress against the Code is monitored in monthly one-to-ones with the audit committee chair, and we present a formal quarterly report to the committee.” For several however, the response of their committees was disappointing despite their approval of reforms. “We had passive support from the NEDs and executives for enhancing internal audit, but are not being challenged on our role.” “More guidance or insight is needed for audit committee chairmen to help them understand the heightened expectations on them personally. The onus is too much on the HIA taking the initiative.”
Chris Field, Group Head of Internal Audit, Yorkshire Building Society
“Reporting to the CEO has had an impact on internal audit’s standing in the Society. Doors are more easily opened and internal audit has risen up management’s agenda. The challenge for me now as an HIA is that I need to play a more strategic and political role in the organisation”
Engaging with regulators
One area where there was disappointment was with the engagement of the regulators. Some respondents had tried to discuss their implementation plans, based on a gap analysis, with the regulators. “There has been no increased interaction following the launch of the Code, nor any feedback on the questions we have asked. There is a danger that the Code will simply become a tick-box exercise.” “We have spoken to our supervisors in the PRA and FCA about our response to the Code, but it has largely been a one-way information flow”. The IIA has also raised concerns with the regulators, in particular on the need for audit committees to get engaged rather than leaving it to their HIAs.
The PRA has held a meeting with a number of audit committee chairs at which they explained their approach to the Code. Internal Audit specialists at the PRA have begun to sit in on audit committee meetings to observe how internal audit is dealt with in practice, looking for example at the amount of time spent and the seriousness with which the committee regards issues raised. They see compliance with the Code as one indicator of effective internal audit. It will not be used as a tick-box exercise but as a measure of how audit committees and executive management are moving towards a culture of challenge and improvement.
The FCA regards the effectiveness of the Internal Audit function as an indicator of how the firm runs its business and its culture towards managing risks to customers and markets. It sees internal audit as a vital player in assisting the board and executive to make effective decisions, and in alerting the board to potential conduct and reputational risks. Where the FCA believes a firm has a robust internal audit function it will look to place greater reliance on its findings and use it to undertake reviews within firms. Whilst the FCA does not supervise firms against their delivery of the IIA Code, it sees it as a benchmark for internal audit, alongside the other tools that exist to the industry in providing guidance, e.g. the Corporate Governance Code.
Hilary Weaver, Head of Internal Audit, Lloyds of London
“I have private sessions with the audit committee away from the formal meeting as well as one-to-ones with the chairman. They are a useful supplement to structured meetings and have been incredibly valuable in giving Audit Committee members greater insight into the organisation and background on the risks around change initiatives.”
- Having a functional reporting line to the audit committee chairman, supported by an administrative line to the CEO, can transform internal audit’s influence and effectiveness.
- The PRA and FCA regard the reporting structure as an important indicator of how independent internal audit is of the executive and therefore how effectively it can support the board’s role in challenging management.
- In organisations where the structure is not in line with the Code they will need to explain their reasoning to the regulator, showing why they believe that it is right for their particular circumstances.
- Many find that attendance at executive committee meetings by the HIA can be valuable in supporting unrestricted scope and access and allowing internal audit to play its enhanced role in supporting the challenge of strategic decisions.
- Just as important is advance access to documentation for the executive committee and audit committee.
- But HIAs need to find a way to preserve their independence and objectivity in the executive committee in order to be able to support the board’s challenge of the executive.
- Informal sessions with the chairman and members of the audit committee away from formal meetings can be valuable.
All of those we interviewed had had their access, standing or reporting lines enhanced in some way since the introduction of the Code. While most reported to the audit committee chair beforehand, all do so now. Many are now playing a much more active and influential role on the executive committee.
While the HIAs we spoke to saw this new role as strengthening their ability to challenge on risk management, control and governance and to support the audit committee at a strategic level, they very aware of the dangers of compromising their independence and objectivity. Dominic Clark at AIB was offered a full voting role but declined in order to preserve his independence. Others excuse themselves from discussions where they feel participation would be inappropriate. At Virgin Money, Nick Collins, Head of Internal Audit says “I recognise the risks over independence with this new level of access. But we are robust and have used the Code to strengthen the audit charter, giving more confidence to internal audit team members. I have resisted being drawn into decisions in certain areas to help keep a true barrier in place.”
Nick Collins, Head of Internal Audit, Virgin Money
“I am an active, non-voting participant of the executive committee. It is great to have this role endorsed by the Code. I feel much more comfortable discussing our viewpoint on key issues as a result of the regulator backing the IIA Code”
Access to real-time information is another area where the Code has improved practices and allowed HIAs to strengthen their role in the challenge of strategic and other decisions, either directly or supporting the audit committee. Rob Lucas, Group Head of Internal Audit at NFU Mutual receives board papers in advance as well as minutes, and has access to executive committee papers on request.
Nick Collins at Virgin Money sees board papers on request and has never been denied access to any papers. “I have good visibility of the strategic decisions made at executive level and have observed more willingness from the executive committee to ask us questions, seeing us as a trusted adviser.”
Scott Strachan, Global Head of Internal Audit at Aberdeen Asset Management comments “I now have fuller access to Exco and continue to network with the non executives and executive helped by an increased focus on Internal Audit. I hold plenty of one-to-one discussions that act as a continuous monitoring tool.”
The Code also appears to have strengthened the relationship between the HIA and the audit committee chairman, including getting more meeting time. Sally Clark, Chief Internal Auditor at Barclays has regular interactions with the audit committee chair, and the chair’s involvement has increased to include informal meetings with the whole audit management team. In one case the HIA’s reporting line still includes the finance director, following an external review. All parties have agreed that this works best in their particular governance structure, and they are prepared to defend it if questioned by the regulator. But the HIA now has one-to-one informal meetings with the chairman as well as his structured meetings with the audit committee. Hilary Weaver, Head of Internal Audit at Lloyds of London says “I always had a reporting line to the audit committee chairman and CEO, but now the emphasis has changed. The chairman agrees my objectives and conducts my appraisal in liaison with the CEO.” The HIA of a privately-owned bank also values the regular meetings outside the formal timetable not only with the audit committee chairman but also the risk and compliance chairman and the partners (owners), noting that “the time I get outside of structured meetings is key”.
The PRA and FCA regard access, standing and reporting lines as vital indicators of how effective an internal audit function can be. Ragveer Brar, Manager, Risk Specialists Division of the PRA says “Whatever the quality of the work it undertakes, if internal audit is not being appropriately supported by the audit committee, or if its findings are not being adequately addressed by the executive, its strength will be undermined and the governance of the organisation weakened.” The FCA also regards the way internal audit is involved and listened to in decision-making as an indicator of the health of corporate culture, and may look at the function’s position in governance structures in its deep dive supervisory work.
Chris Field, Group Head of Internal Audit, Yorkshire Building Society
“It is very important to get the input of the risk management function and the executive in preparing our audit plan. This year we held a half-day planning workshop with key stakeholders to get their view of risk, share understanding of emerging issues and to align approaches while preserving our independence of assessment. This was a very valuable session.”
- Internal audit faces increasing challenges as it engages on strategic and other business issues in a rapidly changing environment.
- It is vital for internal audit to build up networks of information that enable it to understand the internal and external factors driving risk, using its own judgement.
- Larger organisations have established teams to monitor and assess risks in order to form an independent internal audit view.
- The Code has greatly accelerated the move, already underway, from a cycle-based approach to risk-based internal audit, and from a focus on process to one on outcomes.
- Internal audit planning is becoming more flexible.
- The culture of an organisation is an important factor, but there is no single answer to how internal audit should engage on it.
- No-one thinks any of this is easy.
Many HIAs thought that the existing audit universe identified by their organisation was appropriate, although internal audit has been able to identify some additional risks that need to be included. IT risks and customer outcomes are examples, and some are starting to grapple with giving a view on culture. Rupert Nottidge, Group Head of Internal Audit at Schroders says “There is a process run by our risk function to identify the key risks that impact on the organisation. I have improved the mapping of the work of internal audit to these to provide assurance against them.”
At YBS, Chris Field, Group Head of Internal Audit says “Internal audit has developed its own risk assessment, signed off by the audit committee and discussed with NEDs on the risk committee.” But he also fed in the views of risk and the executive in developing his assessment.
Rupert Nottidge at Schroders also includes the views of compliance, co-source partners and the external auditors in his mapping. Nick Collins at Virgin Money says “I form my own view of risk whilst also reviewing the accuracy of the business’s own view of risk. My own level of access to individual functions helps me to do this.”
Donald MacKechnie, Group Audit Director at Lloyds Banking Group (LBG) includes both a bottom-up and top-down approach to risk assessment. The bottom-up approach is based on the Control Framework Assessment process, capturing views on particular departments and functions based on audit activity, risk management activity and views captured from attendance at the various committees. Top-down involves looking at the strategy and risk drivers, such as the FCA Risk Outlook, and feeding these into the planning process.” Some internal audit functions are also carrying out a risk governance audit so that they can better judge inputs from the second line of defence.
Ragveer Brar, Manager, Risk Specialists Division, PRA
“Internal audit needs to keep a firm grip on the audit universe and guard against the danger of focussing only on risk as identified by the executive. We expect internal audit to make an independent risk assessment, drawing on the executive view as well as bottom-up internal signals and external indicators.”
Given the fast-moving nature of risk assessment and the need for internal audit constantly review its risk assessment, priorities and coverage, some larger internal audit functions are looking to a continuous monitoring team or a business regulatory team to examine how internal developments or new products impact on risk assessment. Smaller internal audit functions are not able to set up special teams. Rob Lucas at NFU Mutual says that he has quarterly meetings with each of the directors and his team attend risk and governance meetings as observers. From this they keep up to date with risks facing the business in particular high risk areas. “One challenge is trying to consistently calibrate this across the organisation.”
Audit planning is changing in response to the Code. Organisations are finding different ways to add flexibility to the planning process
Audit planning is also changing in response to the Code. Barclays has introduced a rolling “3 plus 9” flexible planning approach. The first three months are fixed and approved with flexibility in the plan for the following nine months. Sally Clark says “We work closely with management and the first and second lines of defence throughout the planning process, pulling in information to inform the plan. We also have a defined risk framework in the bank that allows commonality of language and understanding.” She notes though that it is a challenge to balance efficiency and flexibility with the approach.
At NFU Mutual Rob Lucas says “We are moving from our traditional rotational and functional model to a more risk-based planning approach, which is challenging. We introduced a 3 plus 9 month planning approach, but that is moving towards 6 plus 6 to allow for lead times in preparing our work.”
Anne Obey, Divisional Director, group internal audit at Nationwide Building Society (NWBS) has monthly meetings with her senior team to discuss key risks and priorities that inform the top-down assessment of the risks driving the plan and make adjustments accordingly. This also creates a longer-term view of the audit plan.
Others are introducing more flexibility by increasing the size of the contingency buffer in the audit plan. LBG have also used a 6+6 approach but are planning to move to an annual planning process with additional contingency time to provide flexibility. Donald MacKechnie says “This will be more efficient by reducing the overall Audit and senior management time in putting together the operating plans of the Group, which are refreshed every year.” AIB’s aim is to build some flexibility into the audit plan by holding an element of the plan in reserve.
Culture is a specific area of risk that is proving challenging. The IIA has addressed this separately with guidance on the sort of areas that internal audit can examine, the mixture of hard and soft controls they need and illustrating these with case studies from internal audit functions that are already engaged. Some, like Aberdeen Asset Management, Virgin Money, AIB and Nationwide are gathering data from normal audit work to form an overall view of the different aspects of culture. This “gut feel” can then be discussed either formally or informally with the audit committee or its chairman. AIB has introduced at the start of each audit a questionnaire on issues such as the escalation of concerns to help generate useful information.
Culture following M&As is also an issue for some, and internal audit can have a role to play in ensuring that different cultures come together in the way the board requires. Two organisations, Barclays and Aberdeen Asset Management have introduced cultural change programmes. That has enabled the audit function to leverage work being done in the broader firm, in the latter increasing the focus of internal audit on culture as an issue in its own right. At AIG, the IIA Code is being used to drive thinking at the global internal audit level around areas such as how to audit culture.
The PRA stress the importance of boards and audit committees ensuring that their organisational culture does not lead to decisions that are out of line with their risk appetite, values and ethics. They say that internal audit should play a key role in supporting the board’s ability to challenge the executive on culture by using effective root cause analysis and maintaining an awareness of the cultural implications of the findings from audits conducted. The PRA issued a Statement of Policy in June 2014 “The use of PRA powers to address serious failings in the culture of firms” detailing their approach.
The FCA follows a similar line and sees the strength of internal audit within the firm as an important factor in ensuring the firm’s culture supports delivery of fair outcomes to consumers. Where internal audit is considered well-positioned and effective, the FCA may draw on its work on organisational culture and decision processes.
Rob Lucas, Group Head of Internal Audit, NFU Mutual
“We are unlikely to undertake a separate audit of ‘culture’ in isolation. We have ‘guiding principles’ for our staff that support the values and risk culture of our business and adherence to them by staff is monitored by management. As a mutual, customer service is at the heart of what we do and the key thing is to ensure there is no room for complacency. Aspects of risk culture are considered in individual audits. We are researching a ‘people risk thematic review’ and this will look at how the guiding principles are embedded throughout the firm.”
The IIA Financial Services Code has been widely welcomed by the internal audit community across the sector. It is already starting to lead to significant change in the governance, management and coverage of internal audit, in some cases transforming the work of those affected in the most positive way. But all those who participated in this study see this as a long term process, and recognise that it has raised new challenges for HIAs and their staff. The real success of the Code can only be measured once the changes that have been initiated have bedded down and had their full effect. Moreover the profession will need to rise to the challenge for that success to be realised – a brave new world for internal audit.
No single best practice
The way firms are implementing the guidance in the Code varies greatly from one organisation to another. There is no single set of best practices on the Code, and this report does not attempt to offer one. Instead organisations need to introduce structures, practices and methods that are right for them. Where these appear not to be in compliance with the terms of the Code they will need to justify them to the regulators.
The approach of the two regulators is very different. The PRA have conducted several reviews of internal audit functions and maintained a dialogue between their internal audit experts and the industry on how different areas of the Code are being implemented. The FCA is taking a risk-based approach to the supervision cycle. Engagement with internal audit may well be one of the areas the FCA will look at to inform its judgements. While internal audit will not be the subject of continuous monitoring, audit committees will nevertheless need to ensure they are applying the spirit of the Code, if they are to demonstrate effectiveness.
While the Code is designed to establish principles rather than detailed rules, and is written “in the context of a reasonably sized company operating within the UK regulated financial services sector” it is worth noting that very few of the recommendations are size-specific, and that organisations with their headquarters in other jurisdictions are still expected to comply with the spirit of those areas of the Code they are unable to implement fully. Conversations with the regulators about areas where the Code is not followed are likely to be in the context of a general expectation of compliance.
Building on the code
The Code is only one contribution to improving the effectiveness of internal audit. It builds on the IIA International Professional Practices Framework, together with the associated IIA Global guidance and Practice Advisories, and has also to be seen in the context of Basel III, Solvency II, the FRC Corporate Governance Code and Guidance, and other relevant instruments. However it is unique in its level of detail and the specific nature of its recommendations for the profession, and as such should play a central role in building the relationship between internal audit staff, board members and executives, and in informing HIAs about how the effectiveness of their function can be improved. We hope that this report will contribute to these two goals.