Search
Certified Public Accountants
& Business Consultants

Focus on Business Advisory Services: Basel Committee on Banking Supervision Assesses the Effectiveness of the Internal Audit Function in Banks

Contact Our Team

On December 2, 2011, the Basel Committee on Banking Supervision (the Committee) issued revised guidance for assessing the effectiveness of the internal audit function in banks.
February 20, 2012
On December 2, 2011, the Basel Committee on Banking Supervision (the Committee) issued revised guidance for assessing the effectiveness of the internal audit function in banks. The proposed guidance builds upon the Committee’s Principles for Enhancing Corporate Governance and takes into consideration lessons learned from the recent financial crisis. Comments on the guidance are due by Friday, March 2, 2012 and can be submitted to the Committee via e-mail to baselcommittee@bis.org.
Executive Summary
The Committee guidance for internal audit is very much aligned with the Professional Practice Framework as established by the Institute of Internal Auditors. Therefore, most internal audit practitioners will find the principles and guidance to be very familiar and probably are already applying most of them. The guidance does reinforce the segregation of certain functions that normally only exist within banks – compliance and risk management should be separate from the internal audit department and internal audit should include these functions in its internal audit plan. Communication between internal audit and the bank regulatory authority is encouraged; and provides suggested topics for discussion. The recommended assessment of the internal audit function should be based upon the IIA Standards and the principles outlined by the Committee. 
 

Point of View

Through guidance, the Committee reaffirms:

  • accountability remains at the top levels of financial institutions,
  • the need to understand and follow IIA standards to the extent practicable (based on the size of the financial institution), 
  • segregate compliance and IA activities,
  • risk management needs to be coordinated across all functions, and
  • promote proactive communication between the key players (IA and Regulators, IA and Audit Committee, IA and Senior Management).

 


The guidance is based on 20 principles over three areas a) expectations of the internal audit function; b) the relationship between the regulatory authority and the internal audit function; and c) assessing the effectiveness of the internal audit function. In the following sections, we have summarized the key aspects of the principles. 

A. Expectations of the internal audit function – this section includes principles and guidance on the following areas:

The internal audit function

 

Key features of the internal audit function

 

The internal audit charter

 

Scope of activity 

  • Purpose

 

  • Independence and objectivity
  • Professional competence and due professional care
  • Professional ethics

 

  • Charter

 

  • Scope of work
  • Risk management
  • Capital adequacy and liquidity
  • Regulatory and internal reporting
  • Compliance 

Corporate governance considerations

 

Internal audit within a group structure

 

Outsourcing of internal audit activities

 

 

  • Permanency
  • Responsibilities of the board of directors, senior management, and audit committee
  • Management and reporting of the internal audit department
  • The relationship between internal audit, compliance and risk management functions
  • Structure

  • Outsourcing

 

 Point of View

Risk Management -The guidance reinforces the need for enhanced risk management. And a key aspect of this is to continue to keep risk assessments updated to reflect current events and activities. The underlying message is for an enterprise wide risk assessment to help leadership make business decisions based on a solid understanding of the underlying risks. Although, the guidance fails to include strategic objectives as a component of risk management. Without a risk-based view to strategic objectives, financial institutions may take on initiatives similar to the ones that led to the recent financial crisis.

Compliance – Compliance findings should be evaluated by the internal audit function as these may impact the scope of the internal audit work. Furthermore, compliance personnel, management, and internal audit should consider whether training is needed to drive a higher level of compliance.

The relationship between internal audit, compliance and risk management functions – A strong risk management framework would dictate that risks identified by all groups (internal audit, compliance, and risk management) be shared, categorized into one library risks, risk owners assigned, risk indicators identified and developed, and effective monitoring activities defined to ensure action is taken when the risk indicators.

 

B. The relationship of the supervisory authority with the internal audit function – this section includes principles and guidance on the following areas:

     

    Benefits of enhanced communication between the supervisory authority and the internal audit function

    Potential topics for discussion between supervisors and internal audit

     

    • Communication

     

    • Discussion points

     



     Point of View

    Overall, maintaining effective communication with the supervisory authority benefits internal audit as it can direct internal audit into areas that of concern to the regulators. The head of internal audit and bank management should develop a communication plan encompassing certain discussion topics outlined in the guidance provided by BASEL. The goal is to have a plan that benefits both parties, not just the regulatory authority, and is linked with the risk assessment to generate discussion on the high risk areas of the bank.

     

    C. Assessing the effectiveness of the internal audit function – this section includes principles and guidance on the following areas:

    Assessment of the internal audit function

    Actions to be undertaken by the supervisory authority

    • Assessment

     

    • Communication of and response to assessment 

     

     Point of View

    A strong risk management framework would dictate that the findings from all groups (internal audit, audit, risk, and other monitoring functions within a bank) be shared, discussed, with an action plan developed and followed through to ensure the findings are properly addressed. We encourage banks to develop a formalized framework for gathering findings from internal audit, compliance, regulators, risk management, and other sources. The framework identifies the issues, sets a timeframe for remediation action, and accountability. 

    A. Expectations of the internal audit function

    1. The internal audit function 

    a)       Purpose

      Principle 1: An effective internal audit function independently and objectively evaluates the quality and effectiveness of a bank’s internal control, risk management, and governance processes, which assists senior management and the Board of Directors in protecting their organization and its reputation.

       

      2. Key features of the internal audit function

       

      a)       Independence and objectivity

        Principle 2: The bank’s internal audit function must be independent of the audited activities. This requires that the internal audit function has an appropriate standing within the bank, enabling internal auditors to carry out their assignments with objectivity.

         

        b)       Professional competence and due professional care

          Principle 3: Professional competence, including the knowledge and experience of each internal auditor and of internal auditors collectively, is essential to the effectiveness of the bank’s internal audit function.

           

          c)        Professional ethics

            Principle 4: Internal auditors should act with integrity.

             

            3. The internal audit charter

            a)       Charter

              Principle 5: Each bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank.

               

              4. Scope of activity

               

              a)       Scope of work

                Principle 6: Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.

                 

                Principle 7: The internal audit function should ensure adequate coverage of regulatory matters within the audit plan.

                 

                b)       Risk management

                  Guidance: The internal audit function should include in its scope the following aspects of risk management: a) the organization and mandates of the risk management functions, including market, credit, liquidity, interest rate, operational, and legal risks; b) the adequacy of the risk management systems and processes covering all the risks resulting from the bank’s activities; c) the integrity of the risk management information systems; and d) the approval and maintenance of risk models.

                   

                  c)        Capital adequacy and liquidity

                    Guidance: The scope of internal audit should include: a) the bank’s system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources; b) management’s process for stress testing its capital levels; and c) the bank’s systems and processes for measuring and monitoring its liquidity positions.

                     

                    d)       Regulatory and internal reporting

                      Guidance: Internal audit should regularly evaluate the effectiveness of the process in place to produce reports for both internal management and the supervisory agency(ies).

                       

                      e)       Compliance

                        Guidance: The scope of the compliance function should be subject to periodic review by the internal audit function.

                         

                        5. Corporate governance considerations

                         

                        a)       Permanency of the internal audit function

                          Principle 8: Each bank should have a permanent internal audit function.

                          b)       Responsibilities of the board of directors and senior management

                            Principle 9: The bank’s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework, and internal audit function.

                             

                            c)        Responsibilities of the audit committee in relation to the internal audit function

                              Principle 10: The audit committee, or its equivalent, should oversee the bank’s internal audit function.

                              d)       Management of the internal audit department

                                Principle 11: The head of the internal audit department should be responsible for ensuring that the department complies with sound internal auditing standards and with a relevant code of ethics.

                                 

                                e)       Reporting of the internal audit function

                                  Principle 12: The internal audit function should report to the audit committee or the board of directors and should inform senior management about its findings.

                                   

                                  f)        The relationship between internal audit, compliance and risk management functions

                                    Principle 13: Internal audit should both complement and assess operational management, risk management, compliance, and other control functions.

                                    6. Internal audit within a group structure

                                     

                                    a)       Structure

                                      Principle 14: The internal audit function in a group structure or holding company structure should be established centrally by the parent bank.

                                       

                                      7. Outsourcing of internal audit activities

                                       

                                      a)       Outsourcing

                                        Principle 15: Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for ensuring that the system of internal control and the internal audit function are adequate and operating effectively. 

                                         

                                        B. The relationship of the supervisory authority with the internal audit function

                                        1. Benefits of enhanced communication between the supervisory authority and the internal audit function

                                         

                                        1. a)       Communication

                                        Principle 16: Supervisors should have regular communication with the bank’s internal auditors to (i) discuss the risk areas identified by both parties, (ii) understand the risk mitigation measures taken by the bank, and (iii) monitor the bank’s response to weaknesses identified.

                                         

                                        2. Potential topics for discussion between supervisors and internal audit

                                         

                                        a)       Discussion points

                                          Guidance: The material provides a comprehensive list of topics that the regulator and internal audit should discuss, including all areas covered under section A4 – Scope of Activity.

                                           

                                           

                                          C. Assessing the effectiveness of the internal audit function

                                          1. Assessment of the internal audit function

                                           

                                          a)       Assessment

                                            Principle 17: Bank supervisors should regularly assess whether the internal audit function has an appropriate standing within the bank and operates according to sound principles.

                                            2. Actions to be undertaken by the supervisory authority

                                             

                                            a)       Communication of and response to assessment

                                              Principle 18: Supervisors should formally report all weaknesses identified in the internal audit function to the board of directors and require remedial actions.

                                               

                                              Principle 19: The supervisory authority should consider the impact of its assessment of the internal audit function on its assessment of the bank's risk profile and on its own supervisory work.

                                               

                                              Principle 20: The supervisory authority should be prepared to take informal or formal supervisory actions requiring senior management and the board to remedy any identified deficiencies related to the internal audit function within a specified timeframe and to provide the supervisor with periodic written progress reports.

                                               

                                               

                                               

                                              About the Basel Committee

                                              The Basel Committee on Banking Supervision provides a forum for regular cooperation on banking supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. It seeks to do so by exchanging information on national supervisory issues, approaches and techniques, with a view to promoting common understanding. At times, the Committee uses this common understanding to develop guidelines and supervisory standards in areas where they are considered desirable. In this regard, the Committee is best known for its international standards on capital adequacy; the Core Principles for Effective Banking Supervision; and the Concordat on cross-border banking supervision.

                                              The Committee's members come from Argentina, Australia, Belgium, Brazil, Canada, China, France, Germany, Hong Kong SAR, India, Indonesia, Italy, Japan, Korea, Luxembourg, Mexico, the Netherlands, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States.

                                              Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.

                                              For additional information about Business Advisory Services, please contact: