Main objectives and principles of the internal audit function
Category: Corporate Governance
The internal audit function is part of the ongoing monitoring of the system of internal controls because it provides another assessment of the adequacy of, and compliance with the bank’s established policies and procedures.
Therefore, the internal audit function assists Supervisory Council and Management board in the efficient and effective performance of their responsibilities as relates to the risk management.
Internal audit within a bank should be a permanent function. In fulfilling its duties and responsibilities, the Supervisory Council should take all necessary measures so that the bank can continuously rely on an adequate internal audit function appropriate to its size and to the nature of its operations. These measures include providing the appropriate resources and staffing to the internal audit department to achieve its objectives.
The bank’s internal audit department must be independent of the activities audited. The department must also be independent from the every-day internal control process. This means that the internal audit department is given an appropriate standing within the bank and carries out its assignments with objectivity and impartiality, free from any bias and interference.
The professional competence of every internal auditor and of the internal audit department as a whole is essential for the proper functioning of the bank’s internal audit function.
Every activity and every entity of the bank should fall within the scope of the internal audit. None of the bank’s activities or entities — including the activities of branches and subsidiaries as well as outsourced activities — should be excluded from the internal audit department’s scope of investigation. The internal audit department should have access to any records, files or data of the bank, including management information and the minutes of the consultative and decision-making bodies, whenever it is relevant to the performance of its assignments.
Internal audit: existing and future models
The internal audit function historically encompassed certain capabilities or segments. Banks typically tend to focus on or be strong in one of the segments. Driven in part by corporate culture and desires of the audit committee, these segments tend to define the direction of the internal audit model as follows:
internal policy compliance — establishing and monitoring internal policies and controls is one of the functions that historically tends to be most closely associated with internal audit. This function directs the efforts of the internal auditors toward measurement of compliance against predetermined standards.
regulatory policy compliance — internal auditors play strategic role in regulatory compliance, whether they serve their banks by assisting corporate compliance officers, help develop and monitor new regulatory compliance programs or use technology to ensure accurate implementation of rules and regulations. The role of the internal auditor in helping to control regulatory risk is a key one for may banks.
training and development — using the internal audit department as a training ground for the bank’s future finance and corporate leaders is a strategy successfully used by a variety of leading banks. This approach moves internal audit away from the role of detective and closer to a partnership with management.
process improvement — banks with a process improvement focus link internal audit disciplines with the bank’s critical business processes; they tend to audit whole versus discrete activities. Such an orientation means that internal audit may, for example, when auditing for controls, view the entire business cycle rather than separate transactions or activities.
While the focus of the existing models may have served well in the past, research and experience show that their focus is no longer sufficient. «An expectation gap» has emerged between the capabilities of the existing models and what corporate leaders now need them to provide. This gap may exist in part because most traditional internal audit function focus on «what is» or «what was» — not on «what will be».
The new business environment requires an equally new vision for internal audit. This new vision calls to elevate internal audit’s focus to critical business risks and exposures that determine the bank’s success or failure. It requires internal audit to understand the key risks and how they enable or impede the banks in building the shareholder value. This new visions requires internal audit to assess the risks — responses that mitigate the key exposures as well as determine if these responses are sufficient or relevant. By shifting its focus from last month’s results to the future’s key issues, internal audit can help the bank achieve its goals.
Example
The internal auditors’ business-oriented approach to due diligence and transition planning helped drive the success of the 1997 merger of NationsBank (now Bank of America) with Boatmen’s Bank. In partnership with management, internal audit helped the bank avoid consulting fees and unnecessary expenditures; developed goodwill among Boatmen’s auditors; established programs to enhance customer retention; identified back-office inefficiencies and mitigated risks; helped management make sure that computer systems conversions would be seamless for customers, and facilitated the maintenance of normal operations during the merger.
Chapter summary
In many developed economies, regulation of the audit profession is moving towards strenghtening the requirements on independence of auditors and audit firms.
The bank’s Supervisory Council has the ultimate responsibility for ensuring that Management Board establishes and maintains an adequate and effective system of internal controls. The internal audit function is part of the ongoing monitoring of the system of internal controls.
Main principles of internal audit are:
internal audit is a permanent function;
internal audit should be independent, impartial, free of bias and interference;
internal audit staff must be professionally competent; and
every activity and entity within the bank should be in the scope of internal audit.