With attention comes attention. Internal audit has been looking to elevate its "seat at the table" for as long as I can recall. And, in 2013, internal audit is being given that seat more and more as a result of regulatory intervention. Internal audit is getting attention.
As you have likely noticed, internal audit is increasingly finding itself on the radar of regulators around the world, particularly those overseeing financial services. We saw this in the U.S. Federal Reserve Guidance that came out earlier this year. And, in response to concerns being raised by financial services regulators in The U.K., The Chartered Institute of Internal Auditors published Effective Internal Audit in the Financial Services Sector: Recommendations From the Committee on Internal Audit Guidance for Financial Services. Even the New York Stock Exchange and NASDAQ have been proposing potential changes to their listing requirements where internal audit is concerned. A common thread in the regulators' efforts seems to be a quest for more independent, more effective internal audit functions with better access to company boards.
The question is: Why? Is it because they think we haven't done a good job? Or, is it that in their post-mortem analysis of the circumstances leading up to the financial crisis, they concluded that such measures would enhance internal audit's potential to foster effective risk management and governance?
I think it's a little of both. Most of us would agree that, as a profession, we didn't knock it out of the park in helping to identify or having an impact on the way risks were being identified, discussed, and managed in financial services. I don't think anyone has been shouting from the rooftops, "Where were the internal auditors?" But I do think that regulators realized that, in many cases, internal auditors hadn't been given the independence and stature they needed to be effective.
Often, we didn't have necessary access to the board. The resources for financial services internal audit, both in terms of numbers and talent, also were inadequate. A few months ago, the chief audit executive (CAE) of one of the largest global banks chronicled for me how his predecessor had his resources reduced by almost 40 percent between 2005 and 2009.
I think regulators are getting it right. Requirements, such as those put forth by the U.S. Federal Reserve Board and covered in my Jan. 28 blog, underline what we at The IIA have been promulgating and recommending for years:
- The CAE should report administratively to the CEO.
- Internal audit management should perform knowledge-gap assessments at least annually to evaluate whether staff members have the knowledge and skills commensurate with the organization's strategy and operations.
- Internal auditors generally should receive a minimum of 40 hours of training annually.
- The internal audit function should have a code of ethics that emphasizes the principles of objectivity, competence, confidentiality, and integrity, and that code should be consistent with professional internal audit guidance such as The IIA's Code of Ethics.
- The audit committee and its chairperson should have ongoing interaction with the CAE, separate from formally scheduled meetings, to remain current on internal audit department, organizational, and industry concerns.
- The audit committee should receive, at least annually, an opinion on the adequacy of risk-management processes, including the effectiveness of management's self-assessment and the remediation of identified issues.
- Internal audit's risk-assessment methodology should address the role of continuous monitoring in determining and evaluating risk.
- High-risk areas should be audited at least every 12 to 18 months.
- Internal audit is encouraged to use formal, continuous monitoring practices as part of the function's risk-assessment processes to support adjustments to the audit plan as they occur.
This is not a complete list, but you get the picture. A well-designed, comprehensive quality-assurance program should ensure that internal audit activities conform with The IIA's globally recognizedInternational Standards for the Professional Practice of Internal Auditing as well as with the individual organization's internal audit policies and procedures. The program should include both internal and external quality assessments.
Each institution should conduct an internal quality assessment annually, and the CAE should report the results and status of these internal assessments to senior management and the audit committee.
Regardless of why internal audit is on regulators' radar, I see it as a very positive sign. What do you think?