0758 Effective Internal Audit Financial Webfinal
0758 Effective Internal Audit Financial Webfinal
0758 Effective Internal Audit Financial Webfinal
Services Sector
Recommendations from the Committee
on Internal Audit Guidance for
Financial Services
July 2013
Contents
2
Foreword from the Chief Executive
The guidance contained within financial crisis and more recent governance, risk
this document represents the final management and internal control failures within
recommendations of the Committee on the financial services sector – notably the June
Internal Audit Guidance for Financial Services, 2013 report of the Parliamentary Committee on
which the Institute has accepted in full and Banking Standards Commission – emphasise that
now commends to the Boards and Internal a more influential internal audit function can
Audit practitioners of all organisations play a more significant role in supporting Non-
operating in the UK financial services sector. Executive and Executive Management of financial
services organisations to manage risks better.
Chaired by Roger Marshall, the Audit Committee
Chair of a FTSE 100 insurance group and a So I hope that Boards and particularly Audit
director of the accountancy standards setter, Committees will embrace the spirit and principles
the Financial Reporting Council (FRC), our of this new guidance, so that the Internal Audit
Committee was an independent, industry led profession may deliver its full value to them.
body which the Institute created specifically for
the purpose of developing this guidance. The Finally, I should like to thank the members of the
group was designed to embrace Non-Executives, Committee for their diligence and commitment
Executives, Internal Audit practitioners and the to the task of producing their recommendations.
regulatory and standard setters’ perspectives. Despite a challenging delivery timetable, they
Together they achieved a high level of debate have promulgated a comprehensive debate about
and engagement across the financial services the role of Internal Audit in financial services
sector on the issues of Internal Audit’s role in organisations and achieved a high level of
supporting the management of risk. The result engagement on the issues, across the industry.
is the set of thorough, thoughtful and scalable
recommendations contained within these pages.
3
Message from the Chairman
We have pleasure in issuing our final The Committee agrees and has included
recommendations aimed at fostering an overall paragraph in the Introduction
effective internal audit in the financial and Context section making this clear.
services sector.
Whilst we have addressed our recommendations
This follows a lengthy consultation exercise to the Chartered Institute of Internal
which started in September 2012. We issued Auditors we appreciate that many of them
our draft proposals on 11 February 2013 and can only be implemented by Boards, Audit
have been struck not only by the number of Committees and Executive Management.
responses but also by the thought and care
which have gone into preparing them. The We hope that some of the recommendations will
Committee has considered the responses in be useful outside the financial services sector. We
detail and our final recommendations have have written separately to the Financial Reporting
been modified as a result. In some cases we Council recommending that they consider whether
realised that the principle was supported but additional guidance is needed on what should be
that the wording was unclear but in other cases expected from a good Internal Audit function.
more significant changes have been made.
Finally I would like to extend my thanks
We have included a basis for conclusions section to the Members and Observers of the
in this document, which includes the main themes Committee and to our secretary, Chris
of the responses and how we dealt with them. Spedding, for all their diligent work.
4
Introduction and context
The recommendations included in the The guidance aims to establish principles rather
following guidance are made by the than detailed rules. Nevertheless it is written
Committee to the Chartered Institute of Internal in the context of a reasonable sized company
Auditors in the UK with the aim of enhancing operating within the UK regulated financial
the overall effectiveness of Internal Audit, services sector. Smaller companies and branches
and its impact within the firms operating in of non-UK headquartered organisations in
the financial services sector in the UK. The particular may need to make modifications to
guidance can be regarded as an additional the detail of the principles whilst complying
benchmark against which firms can measure with their spirit. The guidance is assumed to
their Internal Audit function. The intended be interpreted and implemented in a manner
audience for this guidance includes Chief and to the extent that is appropriate to a firm’s
Internal Auditors, Executive and Non-Executive size, risk profile, internal organisation and the
Directors and the Regulatory bodies. nature, scope and complexity of its activities.
The guidance should be applied in conjunction Wherever possible, the guidance has attempted
with the existing Institute of Internal Auditors to use layman’s language to define terms
International Professional Practices Framework open to ambiguity or differing application,
(IPPF), which includes the International e.g. “assurance”, “three lines of defence”
Standards for the Professional Practice of and “reporting line”. To a great extent, the
Internal Auditing (the IIA Standards). The guidance has also avoided recommendations
recommendations contained in this guidance on the application and implementation of
aim to build on the IIA Standards, providing the principles included. Given organisational
financial services context to the existing IIA and industry specific factors, and a
Standards, and to increase the effectiveness variety of potential audit approaches, the
and impact of internal audit in high risk areas Committee did not feel it was appropriate
of financial services organisations by clarifying to mandate best practice of application.
expectations and requirements of internal audit.
5
Recommendations of the Committee
(The Guidance)
[A] Role and mandate of assess how effectively these risks are being
Internal Audit managed. Internal audit’s independent view
should be informed, but not determined,
1. The primary role of Internal Audit should by the views of management or the Risk
be to help the Board and Executive function. In setting its priorities and deciding
Management to protect the assets, reputation where to carry out more detailed work,
and sustainability of the organisation. Internal Audit should focus on the areas
where it considers risk to be higher.
It does this by assessing whether all significant
risks are identified and appropriately reported Internal Audit should make a risk-based
by management and the Risk function to decision as to which areas within its scope
the Board and Executive Management; should be included in the audit plan – it
assessing whether they are adequately does not necessarily have to cover all of
controlled; and by challenging Executive the potential scope areas every year.
Management to improve the effectiveness of
governance, risk management and internal 5. Internal Audit planning
controls. The role of Internal Audit should
be articulated in an Internal Audit Charter, Internal Audit plans, and material changes
which should be publicly available. to Internal Audit plans, should be approved
by the Audit Committee. They should
2. The Board, its Committees and Executive have the flexibility to deal with unplanned
Management should set the right “tone at the events to allow Internal Audit to prioritise
top” to ensure support for, and acceptance of, emerging risks. Changes to the audit plan
Internal Audit at all levels of the organisation. should be considered in light of Internal
Audit’s ongoing assessment of risk.
[B] Scope and priorities 6. Scope of Internal Audit
of Internal Audit
Internal Audit should include within
3. Internal Audit’s scope should be unrestricted its scope the following areas:
9. Effective Risk Management, Compliance 14. Internal Audit should have sufficient
and Finance functions are an essential part and timely access to key management
of an organisation’s corporate governance information and a right of access to all
structure. Internal Audit should be of the organisation’s records, necessary
independent of these functions and be to discharge its responsibilities.
neither responsible for, nor part of, them.
In organisations in which the Internal
8 10. Internal Audit should include within its Audit function is outsourced, the Chair
scope an assessment of the adequacy and of the Audit Committee should identify
effectiveness of the Risk Management, an appropriate individual responsible for
ensuring that the Chief Internal Auditor to the Group Chief Internal Auditor, while
has sufficient and timely access to key recognising local legislation or regulation as
management information and decisions. appropriate. This includes the responsibility
for setting budgets and remuneration,
15. The primary reporting line for the Chief conducting appraisals and reviewing
Internal Auditor should be to the Chairman the audit plan. The Group Chief Internal
of the Audit Committee. In exceptional Auditor should consider the independence,
circumstances, the Board may wish for Internal objectivity and tenure of the subsidiary,
Audit to report directly to the Chairman of branch or divisional Heads of Internal
the Board, or delegate responsibility for the Audit when performing their appraisals.
reporting line to the Chairman of the Board
Risk Committee, provided the Chairman 20. If Internal Audit has a secondary Executive
of the Board Risk Committee and all the reporting line, this should be to the CEO in
other Committee members are independent order to preserve independence from any
Non-Executive Directors. The reporting particular business area or function and
line must avoid any impairment to Internal to establish the standing of Internal Audit
Audit’s independence and objectivity. alongside the Executive Committee members.
26. Internal Audit functions of sufficient The Chief Internal Auditor, and other senior
size should develop a quality assurance managers within Internal Audit, should have
capability, with the work performed by an open, constructive and co-operative
individuals who are independent of the relationship with regulators which supports
delivery of the audit. The individuals sharing of information relevant to carrying
performing the assessments should have the out their respective responsibilities.
standing and experience to meaningfully
challenge Internal Audit performance and
to ensure that Internal Audit judgements
and opinions are adequately evidenced.
Committee members
Brendan Nelson Audit Committee Chair, BP; Audit Committee chair, RBS
• Dynamic leadership of the profession which maximises our members’ reputation and influence
individually and collectively.
• Technical excellence through our International Standards and Code of Ethics.
• All members across the globe work to the same International Standards and Code of Ethics.
• We have 8,000 members in all sectors in the UK and Ireland.
• High quality support to our members throughout their careers, which enables
them to continually develop their professional knowledge, skills and experience
and provides other services of value to members in their roles.
These things, enacted through our staff, members and volunteers and
with the support of our suppliers and partners, make a significant
and unique contribution to the success of all organisations.
www.iia.org.uk
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
tel 020 7498 0101 fax 020 7978 2492 email info@iia.org.uk
©July 2013. Information can be made available in other formats.