Though banks spend millions of dollars a year on internal audit, many continually face control breaks, especially in the areas of compliance, Bank Secrecy Act, and anti-money-laundering.
Clearly, reform is needed.
I feel sympathy toward internal auditors — they have a tough job.
They face a daunting task and are responsible for checking the entire control mechanisms for complex financial systems. Their jobs can also be tedious and, at many financial services companies, command lower pay and less prestige than their business-line counterparts.
In the real world, auditors cannot be expected to catch every error. At the same time they form the crucial "third line of defense" for financial organizations. As banks become larger and more complex, the importance of internal audit becomes greater.
I am also sympathetic to senior bank managers who - under current rules - are kept separate from the internal audit function and must act through the board audit committee to enhance internal audit.
Though important reasons exist to keep internal audit as an independent function, there could be a risk of going too far - to a place where independence trumps auditor relevance.
Internal audit at "best-in-class" banks today is supposed to have only a limited dotted line to the chief executive officer - and none to any other senior manager.
But should this structure be more flexible so that the dotted line can also lead to a senior control officer of the bank, if the bank has someone playing this role?
To be sure, the internal audit function should have a complete, independent responsibility to report to the board audit committee, and appropriate safeguards could be adopted to mitigate concerns about potential conflicts.
There is an overriding virtue to internal audit having to keep internal senior risk and control people sufficiently in the loop that they are in a position to promptly bring to the audit committee's attention ways in which to enhance the internal audit function.
I have found internal audit programs most lacking in areas listed below. These areas, if upgraded, would markedly enhance a bank's control environment:
- Too often, banks do not have someone in internal audit with expertise in important areas of the business or on important laws with which the bank must comply.
- Many banks' internal audit departments continue to treat compliance as a backwater, despite the unrelenting increase in banks' compliance risk. Ensuring that internal audit has appropriate expertise is important.
- Some internal auditors allow business lines too much slack to fix problems before bringing them to the audit committee for repair. It is important that the internal auditors and audit committees insist on prompt attention by business lines to negative audit findings.
Internal audits have often been overly lenient on information system weaknesses.In an increasingly complex and demanding environment, it is important that audit has the expertise to criticize weaknesses in banks' crucial technological infrastructure.
- Audit committees must do a better job of setting expectations for their internal auditors. Performance goals should be specific and should relate to attainment of goals above and beyond completion of the audit plan. Internal audit outreach and continuous improvement activities should be made a part of baseline objectives, and achievement of these objectives should be actively and continuously monitored and rewarded.
I have seen on too few occasions internal audit being self-critical or sufficiently reviewed by external parties.Robust periodic reviews of internal audit can pay banks real dividends. Internal auditing standards call for periodic peer reviews, but beware: We often see peer reviews that are cookie-cutter or superficial, creating a false sense of comfort.
We are routinely amazed by the absolute lack of engagement outside auditors have with many banks' internal audit functions. Audit committees should set higher expectations for coordination of external and internal audit activities.They should also expect thoughtful feedback that can be acted upon from external auditors regarding internal audit performance and opportunities for improvement.
Outsourced internal audit has worked in certain circumstances and can be particularly helpful in specialty areas where a bank's internal audit department lacks certain expertise.But we have often seen dreadful outsourced internal audit without adequate internal bank oversight. If a bank outsources internal audit, we strongly recommend that its audit committee have a strong internal resource - someone with a strong audit background - to watchdog the comprehensiveness of the outsourced internal audit.
Internal audit effectiveness is a two-way street.While raising the bar for internal auditor expectations, similar accountability should be required of oversight departments - such as compliance, risk management, and controls groups - for improved coordination with the internal audit function. Do not expect the auditor to achieve improved effectiveness and relevance without active cross-institutional suport.
At many banks, more interaction between internal audit and the risk management function would pay big dividends.The internal auditor prepares an audit plan designed to be comprehensive with respect to the risks the bank faces.
But in practice this internal audit analysis does not always align with the analysis developed by the risk management function. A healthy interaction between internal audit and risk management would improve the effectiveness of both functions.
In sum, internal audit will play an ever more important role in modern banking. However, there is still much that can be done to make this function more effective.
