We have conducted a review of how internal audit functions in financial services institutions have changed since the introduction of the our Financial Services Code in 2013. This report is based on a survey of Heads of Internal Audit who are members of the IIA. We also asked a number of audit committee chairs to give us the view from the boardroom.
Download a PDF of the report, produced with the support of Protiviti.
The Chartered Institute of Internal Auditors (IIA) published its Financial Services Code, “Effective Internal Audit in the Financial Services Sector”, in July 2013. It contained guidance developed by an independent committee made up of non-executives, executives and internal audit practitioners, chaired by Roger Marshall, Audit Committee Chair of a FTSE 100 insurance group and a Director at the Financial Reporting Council.
The two financial regulators welcomed the Code, adding that they would use it to assess the effectiveness of internal audit in carrying out their supervisory judgement. The Code is therefore not just a valuable tool aimed at internal auditors - it is a key input into the way boards, audit committees and executives are expected to use and interact with their internal audit functions. It represents a huge opportunity for internal audit to raise its game with the support of the audit committee and make itself essential to the success of its organisation.
This report represents a snapshot of how internal audit functions in financial services institutions have changed since the introduction of the Code, based on a survey of Heads of Internal Audit who are members of the IIA. We also asked a number of audit committee chairs to give us the view from the boardroom. The results reveal the extent to which financial services institutions are embracing the Code’s recommendations, the opportunities the Code presents, and the challenges it poses. It also takes a first look forward at how the code might need to develop in future.
I hope this report’s conclusions are useful to audit committees, senior executives and Heads of Internal Audit as they consider the effectiveness of their internal audit functions. I would like to thank all those who took part, and in particular Protiviti for their generous support for this project.
The Chartered Institute of Internal Auditors (IIA) launched its Financial Services Code, Effective internal audit in the financial services sector, in July 2013. In this report we publish the findings of a survey of IIA member Heads of Internal Audit (HIAs) in the financial services sector carried out in February 2015 to provide a snapshot of progress towards implementation of the Code. We also conducted follow-up interviews with audit committee chairs about some of the issues that emerged from the survey.
Seventy three HIAs responded to the survey. Participants in the survey represent key parts of the UK financial services sector, including, banking, insurance, building societies, credit unions, and asset management. The audit committee chairs of ten organisations gave non-attributable interviews.
Our survey and interviews reveal that there have been some significant changes in the governance, resourcing and tasking of internal audit since the IIA Code was introduced in July 2013, and that it is the Code that has driven these changes by setting out consistent expectations of internal audit functions for boards, audit committees and regulators alike. There have been notable increases in final accountability for internal audit lying with the chair of the audit committee, in HIAs having a secondary reporting line to the CEO, and in HIAs attending executive committee meetings and having access to key board and committee documents. On balance internal audit budgets, staff numbers, seniority levels and levels of training have all increased. Internal audit has also become more active in looking at areas such as culture, key corporate events, risk appetite, customer treatment, and the outcomes of processes.
The audit committee chairs we interviewed have all engaged in developing the role of internal audit, where necessary moving it in line with the Code. They see the Code as an important tool for supporting corporate governance, are embarked on a process of continuous improvement and welcome the improvements in the support they are getting from their internal audit functions. The Code has given them a benchmark against which they can judge the function, and where necessary, they are using it as an agent for change. In some cases this has also meant bringing in a more experienced HIA.
On guidance, most HIAs looked to the IIA to provide material on what good internal audit should look like in the sector and on particular issues, such as culture (see Annex for a list of the guidance the Institute has provided in response). The main request levelled at the regulators concerned giving more information about their expectations on how far organisations should apply the Code depending on their size. The regulators for their part have indicated that they do not wish the Code to be too prescriptive, saying that they are not offering specific guidance to internal auditors on the Code, but are happy to make observations and give feedback to organisations when asked.
We also asked participants to look forwards to identify where the Code could be improved in future. Most seemed content for the moment, and there were few specific comments. One possible area identified for development was Paragraph 6 of the Code, which gives examples of specific issues that should be included within the scope of internal audit. It was felt that this could be kept under review and refreshed. But there was a widespread view of both HIAs and audit committee chairs that the Code needed more time to bed in.
On this last point, there is clearly more that needs to be done to implement the Code. In particular a small but significant number of audit committee chairs are not engaging yet on implementing the Code. Their HIAs, supported where possible by the regulators, need to ensure that progress on applying the Code is on the agenda for their meetings with their audit committees. Particular areas for attention are:- reporting lines; rank / status of the HIA; signing off the internal audit budget; appraisal and remuneration of the HIA; and frequency of the external quality assessment (EQA).
There is also a question about how much regular contact there should be between the regulators and HIAs. It is clear that there is already engagement on the issues that concern internal audit between the regulators and audit committees. The general view from this study is that engagement with HIAs themselves is likely to grow in future for a number of reasons: increasing familiarity with the Code; increasing confidence in internal audit functions on the part of the regulators; and the regulators turning their attention to smaller institutions, having focused at first on the strategically most important.
It is also important that adherence to the Code actually changes the way internal audit performs on the ground and the impact it has. The Code should not be a tick-box exercise but promote genuine change. For many organisations the Code can be used as the catalyst for a cultural change in way the board and management regard and interact with internal audit, allowing it to provide more effective support for audit committees. New reporting lines or attendance at meetings for example are not enough in themselves. For other organisations, where the Code is requiring internal audit to operate in new areas such as culture or strategic events, it will mean HIAs and their staff acquiring new skills and applying new tools. Simply addressing these new issues in order to tick the box is not sufficient - internal audit's work must be substantive and add value, and this is likely to take time to develop.
We received 73 responses to our survey of IIA member HIAs in the financial services sector, a response rate of 27%. Of these, 35% came from the banking sector, 46% from insurance, 18% from investment and 2% financial advisers. As this represents a disproportionate number from insurance we have analysed the key results according to sector to see if the picture is consistent. Looking at size of audit function, 56% were small (0-5 staff), 28% were medium (6-20 staff) and 16% larger (21+ staff). Here too we looked for variations in the results.
Figure 1 reveals a lack of engagement between some HIAs and audit committees in responding to the IIA Code. In our first report on the code, “Embedding effective internal audit in the financial services sector – a progress report” (see annex), we found that some 95% of audit committees were aware of the code. This level of engagement does not appear to have been followed up in implementing the recommendations, especially in the banking sector, where 23% said “No”. Size is clearly a deciding factor here, as all the organisations with larger functions HIAs had engaged with their audit committees.
Nevertheless in many cases HIAs clearly need to take the initiative with their audit committee chairs to ensure that the latter take advantage of the increased internal audit effectiveness that the Code can bring about. As one audit committee chair put it "Given the increased personal liability of NEDs, why would audit committee chairs not want better support from their HIA?"
According to the IIA Code, all of the tasks in Figure 2 should be the final responsibility of the audit committee chair. So, while considerable progress has been made, in particular on appraisal and remuneration, there is still a lot to do. The banking sector fares somewhat better than other sectors here, with, for example, 78% taking responsibility for both the appraisal and remuneration of the HIA (50% and 43% respectively for insurance). Organisations with larger functions have gone further than small or medium-sized ones, with all of them signing off on the audit plan, and appointment and dismissal of the HIA. Audit committees in larger functions also show the most progress towards taking responsibility for remuneration of the HIA, with the percentage jumping from 45% in 2013 to 73% now.
Some of the audit committee chairs we spoke to thought that there had to be a limit to their involvement, given the level of commitment they were able to give and their other responsibilities for e.g. financial accounts and external audit. All recognised the importance of their strong input into the various aspects of overseeing internal audit. However some preferred to intervene when there were issues between internal audit and the executive, e.g. on internal audit budgets, rather than permanently taking on all direct line management responsibility. This may explain why only 60% have final accountability for the internal audit budget while 96% have for the plan. Similarly some chairs prefer to contribute to their CEO’s appraisal of the HIA rather than carry out themselves what they see as an executive function.
It is worth noting however that the regulators regard audit committee accountability for internal audit as a vital element in protecting the independence and objectivity of the function, and that this should not simply be seen as a tick-box criterion. Audit committee chairs need to engage fully on these seven aspects of accountability and ensure they properly consider and understand the issues involved in their decisions.
One of the areas where the code has had a marked impact is in the position and status of the HIA. This is most marked in their presence at executive committee meetings, which jumped from 48% to 84% overall, from 52% to 91% in the banking sector, and from 58% to 92% in organisations with larger functions. Even in small functions the increase was significant – jumping from 45% to 80%. One audit committee chair however warned that HIAs would need to be careful that attendance at these meetings did not lead sub-consciously to identifying with the executive and its decisions, thus undermining objectivity. Another commented that mere attendance was not enough - HIAs needed to use their attendance to engage with senior management on strategic issues and use that knowledge and experience to increase their influence and effectiveness.
Secondary reporting lines have also changed significantly, with 81% now reporting to the CEO. In the banking sector this is over 95%. This is an important development as it enhances the HIA’s authority and reduces the potential danger of those who are audited being able to exert influence over the HIA. It also recognises the importance for effective coverage of the organisation of the HIA having a good working relationship with the CEO and senior management. However one audit committee chair expressed the concern that the CEO might not be able to devote sufficient attention to internal audit.
Access to papers relating to key decisions is essential for HIAs if internal audit is to play a more strategic role in supporting audit committees, for example by offering advice and assurance on M&As, new products, etc. The code has clearly had a positive effect here with all respondents now having access to audit committee papers and much higher level of access to board and executive committee material. Here too the banking sector is well-advanced, with 95% of HIAs accessing executive committee papers. In organisations with larger functions the trend to greater strategic involvement has gone even further, with all now accessing both board and audit committee papers, and over 90% executive committee papers.
We also asked about the rank equivalent of the HIA. Here too there have been marked changes, with a doubling of the number of those who are regarded as equivalent to executive committee members, such as the CFO (to 38%). In organisations with larger functions one half of HIAs now have executive committee status (30% in medium and 38% in small).
One of the important recommendations of the IIA Code, echoing concerns expressed by the Parliamentary Commission on Banking Standards, was that functions like internal audit should not be incentivised in the same way as management and line staff. Here there is still some way to go, with 31% of all respondents still receiving bonuses linked to other performance reward schemes or short term profitability. In the banking sector this is much lower, at 17%. The insurance sector has furthest to go, with 41% still receiving linked performance rewards. Audit committee chairs were divided on this. Some felt that effective internal audit was crucial to the success of the business and that it should therefore share in a bonus pot based on profitability. They did however stipulate that its share should be judged on internal audit effectiveness and not overall company performance. This is another area of particular concern to the regulators, who do not want internal audit's remuneration linked in any way to rewards related to unacceptably high risks.
The ability to have unrestricted access to an organisation and its functions is a key factor that supports internal audit’s independence and its provision of objective judgements. The Code has clearly helped nudge organisations in the right direction, and 96% of respondents now say they have unrestricted scope for their work.
The Code has also extended the areas where internal audit involvement is seen as critical. The Code recommended that, within an unrestricted scope, internal audit should ensure it covers the seven areas outlined in Figure 7. As can be seen there has been a significant effect, in particular in the areas of culture (both risk and customer treatment), processes, key corporate events and risk appetite. This trend has gone furthest in organisations with larger functions and in the banking sector, where several areas have full coverage (for larger functions all bar risk culture and key corporate events, for banks all bar risk culture, customer treatment, key corporate events and capital/liquidity risks). The one proviso is that it is not sufficient to pay lip service to work in these areas. It should be substantive and add value, recognising that developing internal audit coverage may not be easy and may take time as the function moves up a learning curve.
A good example of where internal audit is being asked to operate in the new field of culture is in a bank that has been through a merger and restructure. The management team is currently reviewing culture and taking measures to embed it in the new enterprise, and their work will be audited in the next audit plan period. According to several audit committee chairs, HIAs are increasingly giving their views (gut feel) as outputs in reporting to the committee, a reflection of the changing relationships as a result of the Code.
A large number of internal audit functions have seen their resources, however measured, increase since the introduction of the Code. In terms of budgets, the change is most noticeable in banking, with 57% experiencing an increase. Larger functions have seen the greatest increase in the seniority or experience of staff. These results support the view that the Code is raising the bar for internal audit, requiring it to meet the new challenges presented. The survey, supported by our discussions with audit committee chairs, also suggests that committees are responding sympathetically and are engaging positively with their CEOs on ensuring adequate resources. A few of the audit committee chairs we spoke to had concluded that the new demands being put on internal audit had significantly raised the bar, and had used the Code to appoint a more experienced HIA with the necessary skills. Most however were satisfied that their current HIA was up to the new challenges and were content to work in tandem to implement the Code. Here up-skilling had tended to occur at deputy HIA and other levels. One chair commented that it was difficult for NEDs to judge how much internal audit work is necessary and therefore what resources to give to the function. Others had used an external review of internal audit to get that advice.
There are two aspects of quality covered by theCode. The first is the external quality assessment.The Code does not prescribe the frequency required, although it refers to the IIA International Standards, which specify at least every five years. Compliance with the IIA Standards (which are a requirement for IIA members but have no force with others) has improved considerably since the Code’s introduction, although there is still some way to go. The banking sector has already hit the 100% target, with insurance at 93%. The overall figure is dragged down by the investment/financial advice sector. Larger functions are fully compliant. One question to look at, if and when the Code is revised, is whether this part should be specific about a five year maximum.
The Code also called for internal audit functions “of a sufficient size” to develop an internal quality assurance capability working independently of those delivering the audit. This has led to an increase from one half to nearly two thirds having this function. All the HIAs of larger functions responding to the survey said they had this and 60% of medium-sized. This suggests that organisations have noted and applied the flexibility allowed in the Code. There was a notable difference between the sectors, with 90% of respondents in the banking sector having an internal team compared to 49% in insurance. We also asked respondents whether they outsourced this function. Nearly one quarter (22%) said they did so.
The Code calls for the HIA and other senior managers within internal audit to have an open, constructive and cooperative relationship with the regulators “which supports the sharing of information relevant to carrying out their respective responsibilities”. It is perhaps surprising therefore that there seems to be little change in the number having regular meetings with the regulators. There is not much difference between the banking and insurance sectors. Of the larger functions 75% have these regular meetings. Many of the audit committee chairs we spoke to report a satisfactory level for their own contacts with the regulators, and suggest that it may be taking time for the relationship with internal audit to develop. It may also be the case that other assurance functions, such as risk or compliance, are receiving more attention. One chair suggests that the regulators will want to rely on internal audit feedback rather than Section 166 action. Another reports that their external auditors are experiencing an increasing level of regulatory interest in internal audit through the reporting cycle and assume this will manifest itself soon in a thickening of direct contacts.
As a smaller bank they believe that the regulators may be focusing on the biggest risks first. It is also suggested that specific issues may only be taken up with internal audit if the FCA’s Firm Systematic Framework reviews reveal issues. One chair warned of the risk that too close a relationship for internal audit with the regulator would, if they were regarded as an agent of regulation rather than a support for the audit committee, undermine the function’s ability to operate internally.
The Code calls on the IIA to develop additional guidance on its implementation, in particular in less established areas such as culture and outcomes. In the survey well over 80% of respondents said that they had received sufficient guidance from the IIA. We have already published guidance on culture, auditing corporate governance, root cause analysis and risk appetite (see annex), and are working on, auditing capital and liquidity risk (with an emphasis on capital adequacy requirements) and new product development (with an emphasis upon fair customer treatment). In September 2014 we also produced “Building effective internal audit in the financial services sector”, a compendium giving examples of good practices by some early adopters.
There seems however to have been an expectation among respondents that the regulators would have been more active in giving guidance on the Code, with around three quarters saying they had not received enough from either the PRA or the FCA. It is worth noting that “Building effective internal audit in the financial services sector” also contains the views of the PRA and FCA on how the various aspects of the Code should be applied. One audit committee chair reported attending a general meeting with one of the regulators where the latter had appeared to use “Building effective internal audit” as a guide. We would suggest that, if this publication does not cover any particular concerns of HIAs, that they raise them directly with the regulators. Our contacts with the regulators suggest that they ready to respond.
The Committee that drafted the Code recommended that the IIA should review it after a period of two to three years and consider amending or updating it as required. The Institute will be considering this in 2015/16.
As part of the survey, we asked respondents to say where they thought the Code needed revision or clarification, and whether there were additional areas that should be covered as and when the Code is reviewed. One HIA thought that this should be done in the context of new European legislation or regulations, which suggests 2016 (when the EBA will be reviewing governance) at the earliest.
Only a small number of HIAs offered comments, and of these very few suggested changes. All the audit committee chairs thought that more time was need before a review to allow the Code to be properly embedded and more experience gained. One particular suggestion for review was the list of specific areas for internal audit attention within its unrestricted scope (paragraph 6 of the Code). It was argued that these priority areas may change over time. It was also suggested that more precision could be given on risk culture and the size parameters for requiring internal quality assessment. The relationship with the executive was highlighted as an area for possible further work, with some discomfort about all line management being done by the audit committee chair, and the move from a close relationship with the CFO to the CEO. However these represented individual concerns.
One audit committee chair interviewed was also on the board of a manufacturing company. He contrasted the reforms introduced in financial services as a result of the Code with the practice other sectors, and suggested that the Code’s recommendations should be applied more widely. They were “eminently sensible” and represent best practice for all internal audit functions. He suggested that this was an area for future work by the IIA.