One of the questions that the regulators ask when a bank has a serious problem is: "What did internal audit find?"
In a preponderance of the cases that we have seen in which a financial institution had a serious problem, the internal audit department had not identified the problem in advance. It is not surprising, therefore, to see regulators increasingly turning their attention to the quality of internal audits in large financial institutions. I believe that the quality of internal audits will be a key area of regulatory focus for the next several years.
There are a number of challenges for the internal audit department that are not easy to solve.
First, the enormous task of auditing everything a large, complex financial institution does is daunting. Nonetheless, audit committees and bank regulators generally have not been willing to let internal audit step back from performing comprehensive audits. Institutions have been forced to devote more and more resources to this area.
Second, internal audit perennially has a difficult time hiring and retaining competent staff. Although competition for good auditors has improved salaries somewhat, it is not surprising that talent in this area tends to gravitate over time toward the higher-paying jobs elsewhere in the institution.
This problem is compounded by the fact that auditing is difficult and often tedious work. The trading-desk rush of adrenaline that attracts many young people to financial services rarely makes its way to the internal audit team. Yet the team that audits the trading desk should be made up of sharp, knowledgeable folks who are not easily fooled by a hotshot trader.
Third, internal audit for many good reasons is a creature of the audit committee of the board of directors, not of management. This is even more so today, because regulations have been modified over the past decade to increasingly stress the independence of internal audit from management.
Accordingly, the rules explicitly express a preference for internal audit to be run by the board's audit committee. Although bank regulators allow management to have a dual reporting relationship if the board so desires, this relationship must be limited to "administrative matters."
The move toward an internal audit that is independent from management has tradeoffs. Like many one-size-fits-all rules, it is less felicitous toward the best companies and more helpful in avoiding problems that might be presented by the worst companies.
The heart of the problem is in oversight. The best CEOs want a tough internal audit department. As hands-on, day-to-day stewards of the company, they are situated in an excellent position to make sure it happens. The audit committee's chairman is inherently further removed from the firm (although this can be a virtue at times).
Arguably, one answer to this problem is to have a real hands-on chairman for the audit committee. This highlights, however, a post-Sarbanes-Oxley Act conundrum: If the board is hands-on, does it become a kind of shadow management? And does it lose the character of its independent oversight?
Furthermore, a topflight CEO is not a disinterested party; he very much wants the internal auditor to be a big success.
What if a company is not lucky enough to have an exceptionally astute audit committee chairman, and hence internal audit is less than it could be? What is the CEO to do? Clearly, the CEO must avoid actions that create even the appearance of compromise to the independence of internal audit. However, the CEO can review the audit plan and suggest additions to it. And he can get the audit results.
But a CEO who tries to be a more active participant is treading on thin ice.
A legitimate, indeed important, question for public policymakers is whether it is an ideal situation to have the quality and scope of such a key control mechanisms of a financial service company so far removed from the influence of the senior management team that best understands the business.
I believe more study is needed in this area of regulatory practice and some reconsideration should be given to the role of CEOs versus boards. Of course, there must be independence for the internal audit function - internal auditors must have the unfettered right to look at what they and the board believe needs to be looked at, and they must have the unfettered right to report findings to the board.
However, my own judgment is that beyond what the board's audit committee chairman wants the internal auditor to do, the CEO should be able to have enough interaction with internal audit to have a stronger hand in ensuring that the quality of the audit and audit personnel is maintained.
Given where regulatory guidance is today, I suggest:
- That boards make sure chairmen of audit committees have a strong understanding of banking operations, are knowledgeable about industry trends, and are aware of their very serious responsibility to ensure a top-quality internal audit function and team.
- That audit committee chairmen make sure that the heads of internal audit have several years of internal auditing experience and/or have been lead auditors on bank engagements; are exceptionally energetic and good managers and recruiters of talent; and have high standards of integrity and forceful personalities, so that they are willing to speak their minds even if it is contrary to accepted wisdom.
- That CEOs and audit committee chairmen work together to make sure that adequate resources are devoted to internal audit.
- That CEOs and audit committee chairmen ensure that internal auditors understand that they have unfettered access to their audit committee and board - and that this is where they report.
- That heads of departments that have failed internal audits and have not rapidly corrected the errors be brought before the board's audit committee to explain the delays.
That CEOs and senior management teams make sure that all bank personnel are fully cooperative with internal audit.Internal audit is one of a bank's key controls, but too often it is underpowered.
My suggestions should help beef up internal audit and forestall regulatory criticism, but this dynamic area of control must be vigilantly watched and enhanced.
