Upload
vuonghuong
View
233
Download
0
Embed Size (px)
Citation preview
Effective Internal Audit
in Financial Services
(the FS Code) David Alexander, MD, Daart Solutions & CIIA EQA Panel Member
Contact: [email protected] 07584 092411
Today’s Programme
1. Why the FS Code and what was the impact?
2. Regulator’s perspective
3. Key findings of the 2017 review:
• what has gone well
• what has changed
4. CIIA’s "call to action“ for guidance
5. Some continuing challenges faced by IA teams
6. YOUR experiences/observations
FS Code’s Journey • Financial crisis
• 1st line …. 2nd Line …. Andrew Bailey (FSA) 2011
“I don’t believe that we are in the right place today in terms of the
role and influence of these risks and (internal) audit functions”
• CIIA Committee (Roger Marshall 2012)
• Feb 2013 (draft) …. July 2013 (published)
• Recommended “review in 2-3 years”
• CIIA Committee (Mike Ashley) Sept 2016
• Updated Code published Sept 2017
FS Code’s Impact (2013)
• Put IA on the board (and executive) agenda
• Some concern at the regulators’ (now 2) approach
• Lack of guidance accompanying the “code”
• Changes to IA’s Role / Purpose
• Focus on:
opinions, risk, compliance & finance
Board & Exec MI
Conduct, Culture, Events
FS Code’s Impact • Raised the bar for HIAs
• Gap analyses/EQAs
• Reporting lines clarified
• Casualties
• Significant appointments
• Co-source growth
• Increase in skills and in budgets
Context from a key regulator • Stephen Brown (HIA, BofE) – IMF speech Dec 2016
• Reminder – the definition of internal auditing ….
“an independent, objective assurance and consulting
activity designed to add value and improve an
organisation's operations.”
“It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.”
Stephen Brown’s observations
Basel Committee Audit Sub-group (2012)
• “Principle 1: An effective internal audit function […]
help[s] the board and senior management protect their
organisation and its reputation
FS Code (2013)
• The primary role of Internal Audit should be to help the
Board and Executive Management to protect the
assets, reputation and sustainability of the organisation.
Global IIA (2015) “mission” (but not the definition)
• “To enhance and protect organizational value by providing risk-
based and objective assurance, advice, and insight.”
Senior Manager & Certification Regime (2016)
• HIAs at UK banks are now designated as one of a number of
“Senior Managers” who must be approved by both financial
regulators before taking up their position.
Stephen Brown’s observations
“… if we get to the point where IA functions get good at
protecting their banks, then that sounds like a useful
thing for supervisors and other authorities ….”
What has been the regulatory feedback on the FS Code:
• access to key information and attendance at key
governance forums is much improved;
• Internal Audit’s reporting lines have been adjusted to
better preserve their independence;
• resourcing (in terms of overall headcount) appears to
have increased generally across the industry.
• ………. But what about assurance v. protection?
Stephen Brown’s observations
View of the CIIA Committee (2013)
“supports this [IIA] definition but ….. emphasises that
the primary role of IA is to protect the organisation.
At the discretion of the Audit Committee, IA can perform
other roles and activities, but ……
……. not at the expense of helping the Board and
Executive Management to protect the assets,
reputation and sustainability of the organisation.”
View of the CIIA Committee (2013)
How does IA “…. help the Board and Exec Management
to protect the assets, reputation and sustainability”
• assessing whether all significant risks are identified
and appropriately reported by Management and the
Risk function to the Board and Exec Management
• assessing whether they are adequately controlled;
• challenging Exec Mgmt to improve the effectiveness of
governance, risk management and internal controls.”
Impact of the FS Code
Example Commentary on IA Planning
“to significantly improve internal audit planning to
ensure that it reflects the business model and risk profile
of the organisation, rather than what internal audit or
management are comfortable auditing.
In other words, internal auditing needs to be truly risk
based.”
Four Key Steps…
Code
Impact …
2017 Review Conclusions
• FS Code achieved all or most of its original objectives
• Has supported real improvements across the sector
• Remains highly relevant and fundamentally sound
• Modest updates – clarifications and emphasis
• Highlighted the drive for further improvement
Drive for Further Improvement • HIAs and AC Chairs to demand more from IA teams
• CIIA to produce more practical material on application
& implementation – in particular helping smaller teams
• CIIA, professional firms and FS firms to seek new
ways to promote benchmarking and sharing best
practice, building in particular on external quality
assessments (EQAs)
• Continued (increased?) support from the regulators.
More reference to the Code by supervisory teams.
Key Changes:
• report annually on whether firms are adhering to their
own risk appetite framework;
• review the action taken by the firm following any
significant adverse event, such as regulatory breaches,
including the roles of all the key actors;
• plans should be regularly reviewed to take account of
new and emerging risks;
Key Changes:
• look critically at the work of the organisation’s other
control functions, in terms not only of their processes but
also their quality; and
• play a central role in assessing the culture of the firm. It
should look not only at the ‘tone at the top’, but also at
whether behaviours right across the organisation are in
line with its stated values, ethics, risk appetite and
policies, and report on its findings.
CIIA “Call to Action” • New Product development
• Retail Credit Risk
• Risk assessment and audit planning factors
• Auditing outcomes in specialised areas (e.g. cyber)
• Actions following adverse events
• Annual assessments of governance, risk and control
• Criteria for Audit Committees to assess IA effectiveness
What about beyond financial services?
Some Continuing Challenges • Proportionality
• Aligning IA risk view with the business’ risk view
(v. independent view of risks)
• Assurance Mapping
• Data Analytics
• Quality Assurance & Improvement Programme
• Culture, Conduct, Change and Cyber
• “7 year itch”
Questions/Concerns from the breakout session
1. What is the best approach to auditing culture?
Continuously – in a range of audits. Use skilled (co-source)
assistance; but don’t fully outsource the review. Retain knowledge!
2. Is the 7 year rule a precursor to rotation?
No – but it places onus on Audit Committees to annually confirm
“independence”.
3. If the IA function has been outsourced, do you still need an EQA?
Professional firms have EQAs but each regulated FS firm technically
still requires a separate EQA (at least) every 5 years.
Questions/Concerns from the breakout session
4. What does it mean for HIAs and AC Chairs to demand more from
IA teams?
HIAs/AC Chairs tend to have absorbed much of the impact of the
Code and the related discussions. Aspects need to be cascaded
down to IA team members (e.g. strategy, gap analyses, planning)
5. When will the extra guidance appear?
Some is already on the IIA website (e.g. new product development,
retail credit risk) – look out for the rest over the next few months.