Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
Rethinking internal audit after the FSA review
Marc DumbellFinancial services expert in Banking & Securities, Deloitte (firstname.lastname@example.org).
The FSA recently published its findings from a thematic review of banks' and building societies' internal audit functions. In this column I want to look at some of the key issues identified and explore the co-sourcing solutions that firms are using to deliver greater value from internal audit.
The FSA's main findings on internal audit are:
the methodology in many firms has moved towards a more risk based approach – this is often not as risk based as firms perceive;
audit committee reporting is more effective when it includes clear explanations of risks and implications of reported weaknesses;
lack of specialist resources available, for example in treasury/IT;
outsourcing or co-sourcing arrangements are operating in more than 50 percent of firms reviewed;
independence and objectivity is in danger of being compromised given widespread use of internal audit in special investigations; and
head office and local internal audit responsibilities should be clearly allocated to ensure an effective relationship.
While the issues raised by the FSA may be open to common criticisms from business areas of internal audit points, they touch on some of the major challenges in getting value from internal audit spend, namely: coverage of key risks, stakeholder communication, independence, resourcing and efficiency.
Generally, these findings are highlighting such internal audit challenges on the chief executive's agenda. More specifically, the FSA has stated its intention under Arrow to review whether firms are assessing the effectiveness of their internal audit function.
Internal audit's role
As the FSA highlights, internal audit is an integral part of a firm's corporate governance framework. Its core function is to provide key stakeholders with assurance that significant business risks are being managed and that the control framework is operating effectively.
In a secondary role, internal audit's strengths often result in their resources being used on ad hoc projects.
The resource issues
To fulfill its role in providing assurance over key risks internal audit resources are being stretched in terms of both their breadth and depth.
The required breadth to address business and regulatory developments and the ability to audit the programs implementing these changes, is expanding. For SEC registrants, while the Sarbanes Oxley impact is not entirely clear, an analogous benchmark using initial views on external audit, suggests that this alone could increase resource requirements by as much as 20-25 percent.
There is also the on-going challenge of getting sufficient depth of knowledge in specialized technical areas. For example:
treasury (e.g. testing of value at risk/CAD models);
information technology (e.g. IT security/ethical hacking);
international accounting standards (e.g. accounting standards and key financial controls);
Basel (e.g. credit risk modeling skills/operational risk); and
outsourcing (e.g. SAS 70 reporting/third party assurance).
This is against the background of the number one concern of heads of internal audit being how to attract and retain top talent. Especially, now that internal audit is no longer viewed as an entry point into an organization and that these technical skills are in very high demand.
Yet the importance of a firm having robust controls in more technical areas such as treasury (which the FSA has highlighted) can be seen only recently from the difficulties experienced by AIB and the National Australia Group.
Even in terms of "business as usual" there is a continuing balancing act of resourcing competing needs such as:
ongoing audit testing;
firefighting/post mortem reviews for management;
audit committee and corporate governance reporting;
custodianship of independence and monitoring of external audit roles; and
additional testing for FSA purposes.
With these pressures and the push for a more robust risk based approach, it seems an insurmountable task for internal audit to meet these expectations without a rethink of the traditional operating model.
So what are the FSA's recommendations?
While few specific recommendations are given, it comes as no surprise that more than half of the firms reviewed are rethinking the way internal audit operates by using some sort of outsourcing or co-sourcing partnership.
Clearly there is no "one size fits all" solution and firms are exploring different models on the co-sourcing spectrum that best meets their needs. The reasons often given are to gain advantages from:
access to in-depth specialist knowledge to effectively challenge management's approach;
added value from benchmarking against best practice and competitors;
independent assurance over risk based assessments;
formalizing ad-hoc arrangements to meet FSA outsourcing requirements;
combining the relative strengths of internal and external resources;
flexibility to use internal audit on special investigations/obtain independent external assurance; and
cost savings from not having to employ full time specialist staff and sourcing in remote locations.
The first step is a review of how your firm obtains internal assurance over key risks and specifically, the effectiveness of internal audit – again independence being a factor in deciding who should carry this out.
The FSA are expecting this as a minimum, not least because they themselves often rely on internal audit to provide assurance on specific risks in the organization. Significantly, we have seen this manifest itself recently through the FSA commissioning "Section 166" reviews on the effectiveness of internal audit for major financial groups.
Taking this one step further, given the current focus from the UK governance agenda and Sarbanes Oxley, it may be time to rethink your internal audit operating model. Then internal audit may have some chance in the balancing act of competing demands, to deliver value to the business and the assurance to underpin a firm's corporate governance framework.