The Basel Committee on Banking Supervision has released a draft of its supervisory guidance on the internal audit function in banks. The link to the 27-page document is at the foot of this summary. Comments are due in March.
The 15 principles in the draft relating to the role of internal audit seem straight-forward (there are 5 more relating to regulators and internal audit):
Principle 1: An effective internal audit function independently and objectively evaluates the quality and effectiveness of a bank's internal control, risk management and governance processes, which assists senior management and the Board of Directors in protecting their organisation and its reputation.
Principle 2: The bank's internal audit function must be independent of the audited activities. This requires that the internal audit function has an appropriate standing within the bank, enabling internal auditors to carry out their assignments with objectivity.
Principle 3: Professional competence, including the knowledge and experience of each internal auditor and of internal auditors collectively, is essential to the effectiveness of the bank's internal audit function.
Principle 4: Internal auditors should act with integrity.
Principle 5: Each bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank.
Principle 6: Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.
Principle 7: The internal audit function should ensure adequate coverage of regulatory matters within the audit plan.
Principle 8: Each bank should have a permanent internal audit function.
Principle 9: The bank's board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework and internal audit function.
Principle 10: The audit committee, or its equivalent, should oversee the bank's internal audit function.
Principle 11: The head of the internal audit department should be responsible for ensuring that the department complies with sound internal auditing standards and with a relevant code of ethics.
Principle 12: The internal audit function should report to the audit committee or the board of directors and should inform senior management about its findings.
Principle 13: Internal audit should both complement and assess operational management, risk management, compliance and other control functions.
Principle 14: The internal audit function in a group structure or holding company structure should be established centrally by the parent bank.
Principle 15: Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for ensuring that the system of internal control and the internal audit function are adequate and operating effectively.
I could quibble with Principle 9, which says that senior management establishes and maintains the internal audit function. However, Principles 10, 12, and 15 should compensate for any 'weakness' in #9.
Some of the detailed content reveals some outdated (IMHO) thinking. For example, instead of asking for a periodic audit plan that is focused on addressing the more significant risks to the bank, the document (paragraph 29) asks that EVERY area be subject to an audit based on a cyclical audit approach. I guess the answer is to say that low risk areas are audited every century, but I'm not sure how well the examiners would take that!
I also have a concern that paragraph 31 describes risk management as addressing "market, credit, liquidity, interest rate, operational, and legal risks." Where are strategic risks? Where are the risks that could cause bank failure, learning from the lessons of recent years.
If you work for a bank and have the opportunity, I urge you to read the draft and provide comments and suggestions for improvement.