Research report: Embedding effective internal audit in the FS sector
We conducted a survey of heads of internal audit to find out what progress they were making on implementing the IIA's financial services code. We also conducted interviews with respondents to get a more detailed picture of the action they had taken, their progress and the challenges they faced.
Download the full report (pdf, produced with the support of Protiviti)
Selected contents
Executive summary
Survey findings
Identifying the scale of the task
Key compliance areas
Challenges ahead
Auditing culture
View from an audit committee chair, case studies
Executive summary
The Chartered Institute of Internal Auditors (IIA) launched its Financial Services Code,Effective internal audit in the financial services sector, in July 2013. In this report we publish the findings of a survey of IIA member Heads of Internal Audit (HIAs) in the financial services sector carried out in November 2013 to provide a snapshot of progress towards implementation of the Code. We would like to thank Protiviti for their generous support for this project.
Forty-four HIAs responded to the survey. We also conducted follow-up interviews with one-third of respondents and did two in-depth interviews. Participants in the survey represent key parts of the UK financial services sector, including, banking, insurance, building societies and credit unions, and asset management.
Our survey and interviews reveal that there are clear concerns about proportionality on the implementation of the Code. No two institutions are the same, and clearly there needs to be a dialogue between organisations and the regulators about individual circumstances, in particular relating to size. Many of the Code's recommendations require boardroom buy-in, implementation of which should be championed by the chair of the audit committee (such as reporting lines, adequacy of resources or HIA remuneration). The chair will need to be prepared to defend arrangements that do not match the Code's guidance.
The challenges regarding the audit of culture apply across the spectrum of financial services institutions. So too do those relating to resourcing. Small firms are constrained by having small internal audit teams, while larger firms have also indicated that they have to present a reasonable business case as to why internal audit may need more people/outsourced services.
These are however early days, and the IIA is working to identify good practice in implementing the Code in a range of institutions. Part of this work will be to establish how the regulators are responding to the sorts of issues identified in this survey.
The key findings of our survey are:
• Awareness of the Code is high (audit committees 96%, chief executives 93%, other senior executives 91%, board 80%).
• Over four-fifths of respondents (82%) believe that they only need to make "minor changes" to follow the Code fully.
• Some 16% say it will be difficult to ensure that the HIA has the appropriate standing called for in the Code, i.e. at executive committee level.
• Around one in seven (14%) foresees problems trying to ensure that internal audit's scope includes strategic and operational information.
• Only 2% say they are unlikely to be able to make their primary reporting line to the chair of the audit committee, and 14% their secondary reporting line to the CEO.
• Auditing culture is seen as the most difficult area of the Code (recommendation 6d) with 34% saying it poses significant challenges.
• Several HIAs have concerns about adequate resourcing to meet the recommendations of the Code.
• Some also question the degree of internal audit's involvement in assessing management's decision-making and attitudes to risk.
• Some HIAs have questioned how they can assessthe adequacy of their approach against the Code.
Survey findings
What is your financial services sector organisation?
The chart below shows the spread of respondents across the different parts of the financial services sector.
|
Type of |
|
Percentage of survey participants |
|
Retail bank |
25% |
|
|
Wholesale bank |
9% |
|
|
Building society |
7% |
|
|
Credit union |
0% |
|
|
Asset management |
16% |
|
|
Financial adviser |
0% |
|
|
Insurance |
30% |
|
|
Other (please specify) |
14% |
What is the staff size of your organisation?
This relates to the number of people that are in full-time employment. If part of a group, the part for which you are responsible.
The chart below shows the respondents' profile by size of organisation. Some 32% work in financial institutions with between 250-1,000 employees.
Are the following aware of the FS code?
The vast majority (93%) of HIAs were aware of the Code prior to its publication, with two-thirds (66%) hearing about its development from the Institute. Nearly a quarter (23%) of respondents heard about the development of the Code from regulators such as the Financial Conduct Authority or the Prudential Regulation Authority, or from one of the professional services firms that provide their organisations with external audit and/or internal audit services.
Even though the Code had only been published a few months prior to the survey being carried out, nearly all (96%) respondents say that their audit committees are aware of the Code, as are their chief executives (93%) and other senior executives (91%). Boardroom awareness, however, is a little lower (80%), though still high.
HIAs have responded favourably to the Code. Chris Field, Head of Internal Audit at Yorkshire Building Society, says: "I think that the FS Code is at exactly the right spot. If you look at the various crises and scandals that have hit the industry in recent years, it is evident that internal audit needs to ask more questions about the culture and leadership of the organisation."
Nicola Rimmer, Vice-President, Internal Audit at Barclays Bank, who is the current IIA President, says that "the Code spells out more clearly what the expectations of internal audit should be, and how the profession can provide more assurance in areas that have traditionally not been part of internal audit's remit, such as business culture."
Identifying the scale of the task
- Over 90% of respondents (93%) have performed a gap analysis to measure their level of compliance with the Code, with 39% confident that their practices reflect those in the Code
- One-third (34%) of respondents are reviewing individual aspects of their organisational structures and practices to ensure that internal audit covers each of the Code's recommendations
Most HIAs have already started benchmarking their activities and structure against the Code's recommendations. Almost two-fifths of respondents (39%) say that, having performed a gap analysis between the Code and the internal audit function's existing practices, they are "confident" that their current approach reflects the practices put forward in the Code.
One-third (34%) of respondents say that their approach is to review individual aspects of their organisational structures and practices to ensure that internal audit covers each of the Code's recommendations, while 9% say that they are reviewing their whole structure and approach to internal audit with a view to implementing wide-ranging reform reflecting the Code. None say that they comply fully, and 7% said that they had yet to undertake a gap analysis.
Over four-fifths (82%) of HIAs believe that they only need to make "minor changes" to follow the Code fully, while one in six respondents (16%) say that they need to make "significant" improvements. Only one respondent said that his/her department needed to make "material improvements" to fully meet the Code.
In the post-survey interviews, the majority of HIAs who responded said that they were confident that they will fully comply by the end of 2014. The response of Christine Wareham, Head of Internal Audit at United Trust Bank, was fairly typical: "Where small gaps against full compliance are identified, these areas will be added to our internal audit plan and annual training plan to ensure that we meet the required level of compliance by the end of 2014."
What action is your organisation taking to implement the provisions of the FS Code?
|
Action the organisation |
|
Percentage of survey respondents |
|
None - we are yet to undertake a gap analysis |
7% |
|
|
None - we already comply |
0% |
|
|
We have performed a gap analysis between the Code and our practices. We are confident that our current approach reflects the practices put forward in the |
39% |
|
|
We are reviewing our structure and approach to internal audit with a view to implementing wide-ranging reform reflecting the FS Code recommendations |
9% |
|
|
We are reviewing individual aspects of our organisational structures practices to ensure we cover each of the recommendations of the FS Code |
34% |
|
|
Other (please specify) |
11% |
Key compliance areas
- All HIAs believe they report to the appropriate governing body
- Nearly nine out of ten (89%) say that internal audit is independent of risk management, compliance and finance
- Over four-fifths (84%) say that their primary reporting line is to the audit committee chair
There are several areas where the Code is already strongly complied with. For example, 100% of HIAs say that they report to the appropriate governing body (recommendation 7), while nearly all (93%) say that internal audit's scope is unrestricted (recommendation 3) and that audit plans are flexible and that any changes are approved by the audit committee (recommendation 5). A similar number (93%) say that internal audit has access to key management information (recommendation 14).
Nearly nine out of ten HIAs (89%) say that internal audit is independent of risk management, compliance and finance (recommendation 9), and that they assess the adequacy of these departments (recommendation 10). The same percentage indicates that they ensure that the internal audit team has the necessary skills and resources to do its job effectively (recommendation 21). The vast majority of respondents (89%) also say that the HIA and other senior team members have an open, constructive and co-operative relationship with regulators (recommendation 29).
Furthermore, 84% say that they comply with recommendation 1 which states that internal audit supports the board on risk management, governance, and internal control (the remainder say that they foresee "no difficulty" in complying), while the same percentage says that the board, its committees and executives set the right tone at the top to support internal audit (recommendation 2). 84% also say that internal audit's scope includes capital and liquidity risks (recommendation 6f) and that the HIA's primary reporting line is to the chair of the audit committee (or similar role) as per recommendation 15.
Challenges ahead
- Some 16% of respondents say it will be difficult to ensure that the HIA has appropriate standing, i.e. at executive committee level
- Around one in seven (14%) foresee problems trying to ensure that internal audit's scope includes strategic and operational information
- Some 14% cannot ensure that their secondary reporting line will be to the CEO, but only 2% foresee difficulty in being able to report directly to the chair of the audit committee as their primary reporting line
While over 80% believe that they only need to make minor changes, there are areas that represent a challenge to HIAs and their audit committees. Nearly one in ten believe that they will have difficulty trying to comply with recommendation 19 of the Code, which states that HIAs should ensure that subsidiary, branch and divisional heads of internal audit report to the group head of internal audit directly, as opposed to the chief executive or finance director.
Just over 10% of respondents say that they will have problems complying with recommendations 4, 6c, 13 and 17 of the Code. These refer to; internal audit forms an independent view of key strategic risks, assesses how they are managed and has a risk-based audit approach (4); internal audit's scope includes the setting of and adherence to risk appetite (6c); internal audit has the right to attend/observe executive committee meetings (13); and that the audit committee chair is responsible for tasking and appraising the head of internal audit (17).
On auditing risk appetite, one HIA says: "Auditing risk appetite is a challenging area, we will need to assess employees' understanding of the organisation's risk appetite, and how that relates to the job that they do. Assessing how someone's work and approach reflects the organisation's risk appetite will be perhaps more subjective than some internal auditors would like."
Another adds: "I am unsure whether internal audit should be assessing the 'tone at the top' itself, or checking whether there are processes in place to check the tone at the top and the organisation's risk appetite. Can internal audit assess whether the values being communicated are the right ones?"
Around one in seven respondents (14%) foresees problems trying to ensure that internal audit's scope includes strategic and operational information (6b of the Code). The same percentage also believe that they may not be able to ensure that their secondary reporting line will be to the CEO, or that they will be able to report directly to the chair of the audit committee as their primary reporting line (recommendation 20 of the Code).
One HIA is concerned that the recommendations regarding the reporting line may be too prescriptive. "While my first reporting line is to the chair of the audit committee, my second line is to the CFO - not the CEO. This arrangement suits our organisation and does not impact the work of internal audit or our independence. Another HIA says: "It is not practicable for us to report to the chief executive in our organisation."
Some 16% of respondents also say that it is going to be difficult to gain boardroom support for the head of internal audit getting the appropriate seniority (at executive committee level - recommendation 12). As one HIA says: "I think some organisations will struggle to comply with recommendation 12. Small internal audit functions are unlikely ever to achieve that kind of relationship with executive management, especially if the legacy has always been that internal audit does not have that kind of relationship. Trying to elevate internal audit's status would just look self-serving."
The same percentage of respondents (16%) say that it will be difficult to get boards to support making the audit committee chair responsible for recommending the HIA's remuneration structure (recommendation 18). Currently only one-quarter say that this happens. One respondent explains: "The chair of the audit committee does not have the experience, expertise, or time to appraise the head of internal audit's work and remuneration."
Auditing culture
- Auditing culture is seen as the most difficult area of the Code, with around one-third saying it poses significant challenges
- However some HIAs are already making progress on how to approach the audit of culture.
Recommendations 6d and 6e represent the most difficult area of the Code - over one-third (38%) of HIAs say they will pose significant challenges. These cover the organisation's culture, both risk and control culture and the way it treats its customers or behaves in markets. One respondent said that he/she welcomed the IIA's work in this area and would wait until further guidance was issued before conducting a culture audit.
Chris Field at Yorkshire Building Society says that: "recommendations 6b and 6d go right to the heart of what the board does and not many internal audit departments are currently positioned to provide robust assurance in these areas. As a head of internal audit you will need to have personal credibility and the function will need to be really championed and supported to be able to follow these recommendations. The Code aims very high here and I doubt that many organisations can presently say that they genuinely follow them."
David Barnes, Chief of Staff, Global Internal Audit at HSBC, says that: "auditing risk culture is going to be a real challenge for many internal audit functions. It requires auditors to adopt a different approach and mindset and you need an enhanced set of skills and understanding to do it effectively. Also, how do you carry out a culture audit? Do you do a specific culture audit, or should it be embedded within the scope of normal audit work, or be a combination of the two? Should you also seek to link cultural issues through root-cause analysis?"
Some are already making progress about how they can approach a culture audit. Barclays' Nicola Rimmer says that while internal audit "needs to know as a profession what 'business culture' is supposed to look like before we try to audit it", adding that "one of the steps that we have already taken is to set up a rating system to see how managers deal with risks - such as the speed at which they implement recommendations, and the time it takes for them to report new risks. Currently, this is at a business unit level and is reported quarterly. We plan to incorporate this approach into every audit we carry out." She also says that "the timing of the Code's launch has tied in neatly with a corporate-wide review of the bank's culture and practices, so it has not been a problem to get management onside."
Recognising the difficult issues surrounding the audit of culture, the IIA is conducting an analysis, looking at case studies, and preparing guidance that will issue shortly.
Case study 1
Nick Collins, Head of Internal Audit at Virgin Money
We have been very clear since we entered the market as a new challenger bank that we are committed to doing things in a better way, and that has enabled us to adapt our internal audit structure and approach to reflect the best practice principles enshrined in the Code.
Since Virgin Money acquired the retail banking business from Northern Rock two years ago, it has totally revitalised and changed the business, including the introduction of the necessary governance and operational changes needed to integrate the two businesses. As a result, it has been a fairly straightforward process to make the necessary changes to comply with the spirit of the Code.
The process has also been made easier by having the support of the executive team and the board. Our chief executive and audit committee immediately saw the benefits in complying with a code of practice that has regulatory backing, and one that is aligned to our quest to build a better bank. They also appreciate the greater clarity around the role of internal audit, and the value and assurance we can bring to the organisation, particularly in terms of supporting effective risk management.
While we comply with the vast majority of the Code's recommendations already, our gap analysis has made us consider in particular the level of skills and capabilities we have in our audit team. The Code requires organisations to have good, experienced auditors that can perform deeper audits in more challenging and judgemental areas. This inevitably brings the need to grow the capability in our team and consider the specialist skills needed to effectively deliver the increased expectations. And with the Code adding weight, the audit committee is fully supportive of providing the resources to strengthen the team.
As one may expect, there are some parts of the Code that are likely to take more time to comply with: the scoping issues around auditing culture is an obvious one. This is new territory for the profession, and there is a need for further practical guidance to support the Code in this area. We have also spent time discussing what the responsibilities of the audit committee are under the Code, as there are several recommendations that require the audit committee to take the lead. We will continue to work through the audit committee and take the time needed to fully understand what is required in practice for full compliance to be achieved.
Case study 2
Paul Marshall, Group Head of Internal Audit at Old Mutual
In my view the Code is a very positive step and the recommendations set out what a board and a regulator would expect from a good internal audit function. The Code is not about compliance necessarily - it is more about what internal audit should do to position itself properly within the organisation, to provide the right level of assurance and to help keep the company safe, including providing assurance on management information to help the board with strategic decision-making.
While the chair of our audit committee, Roger Marshall, was solidly behind us adopting the Code (he actually chaired the IIA committee on its development), the executives needed to fully appreciate the reasons why the Code was necessary given that they considered our internal audit function to be "fit for purpose" following the findings of an external quality review. The explanatory notes which came with the final version of the Code were particularly helpful in explaining that the specific items contained in the various recommendations - such as those under recommendation 6 with regards to internal audit's scope, auditing culture and the organisation's risk appetite - did not necessarily need to feature on the plan of audit activity for every year.
We already follow most of the recommendations within the Code, but there are some challenges. Internal audit has already started to look at how to audit culture and risk attitudes, and through working with the chief risk officer and HR to develop and apply a risk and control culture framework comprising 50 specific characteristics, we now have a consistent basis for an assessment of the risk and control culture of each of the major business units within the group. We aim to develop this further, enabling us to monitor trends over time.
More broadly, there are some elements that are likely to pose problems for HIAs. For example, to strictly comply with recommendations 17 and 18 regarding the appraisal and remuneration of the head of internal audit would require a non-executive to perform what is in essence an executive responsibility. A likely solution - certainly in our organisation - is for performance management to be led by the chief executive with input from the chair of the audit committee.
Recommendations 12 and 13 about whether internal audit has appropriate authority with the executive and the right to attend executive meetings may also pose problems. The key issue for me is whether the internal audit function is informed promptly of key issues happening in the organisation and has the flexibility and agility to become involved quickly where needed. Speaking personally, my preference would be to earn the right to be invited to executive meetings because of the contribution I can make as the chief internal auditor, rather than it being required through a code that says that I should have the right to attend.
