Internal audit (IA) has too often been perceived within financial services as a peripheral function with limited value. As Andrew Bailey, Chief Executive Officer of the UK’s Prudential Regulation Authority, said: “expectations… [have] been set too low,” especially in terms of IA’s “role and influence”.
For this reason, the Chartered Institute of Internal Auditors is introducing a stronger code of conduct for financial services firms. The UK’s financial regulators, which helped develop the new code, will use it to determine ‘what good looks like’. For financial services firms, compliance means potentially greater self-regulation and less regulatory intervention. It is therefore in their best interests to ensure their IA functions are in good shape.
To take your internal audit from ugly duckling to swan, you need watertight credibility, the right talent and a practical, supportive approach to engage the business at all levels.
Getting the right talent in place
IA functions often struggle to attract the right mix of people. Salaries are going up and the ‘internal police’ stigma is subsiding, but recruitment is still largely from external audit firms, which creates a uniform skill-set and way of engaging with stakeholders.
As well as having strong analytical skills, your IA team must have a thorough understanding of the business and be able to build consultative relationships, communicate and influence effectively and become trusted advisors. Furthermore, they need to show the right values and approach. Simply complying with the letter of the law is insufficient; IA professionals must embrace the role of internal regulator.
In our work with financial services firms, we have found the following to be effective in creating the right IA team:
- rotate senior managers from the business into IA roles to promote greater mutual understanding and collaboration
- ensure there is regular knowledge transfer between technical experts and IA personnel to help them identify and address risks
- outsource specific reviews and tasks to alleviate shortfalls in expertise or resources.
Challenge who ‘owns’ IA in your firm
For your IA to be influential, it must be credible. All too often, however, we have seen IA coming under the influence of senior executives or reporting into the very divisions the team are supposed to be assessing. It is therefore vital to challenge the existing approach where necessary: you should align IA’s accountability with non-executive board members and ensure it remains independent from ‘second-line of defence’ risk management and compliance functions. We have also found that IA should be represented at board meetings to ensure greater assessment of risks around overall strategy, governance, business model and second-line functions.
Ensure IA works effectively with the business
Through business engagement and desk analysis, your IA should identify the areas of greatest threat to the finance or strategic direction of the firm. Once priorities have been agreed, we recommend your IA communicates a set of outcome-based deliverables and then aligns all core activity towards their development. This is likely to require risk analytics, product-based plans and the optimisation of existing processes.
We also recommend that IA actively collaborates with the business. Instead of broadcasting recommendations from afar, we have found they should give the business direct support in the delivery of remedial actions. Similarly, writing recommendations in a pragmatic and realistic manner, providing supporting evidence and making sure that business units fully understand the reports they are given will help ensure IA documents are effective.
To find out more about creating the right IA for your business, contact us now.