There has been a steady change in internal audit (IA) across the financial services sector since the introduction of guidance on effective IA by the Chartered Institute of Internal Auditors (CIAA) in July 2013.
Two key areas where there is visible change are:
1. Improved positioning and increased impact and influence of IA within the organisation. The IA profession is continuing its journey of improvement with good sponsorship from audit committees.
2. Improved quality of audit plans and coverage – plans are more clearly risk based, setting out how assurance maps to material risks. Good practice also shows audit coverage against key strategic priorities facing the organisation. Multi-year fixed / committed audit plans are being replaced with flexible audit plans, sometimes with only a calendar quarter or six month period being fixed. Management and audit committee members are more visibly engaged in challenging audit plans to optimise business benefit.
The sector continues to grapple with other areas of the guidance though, notably:
- How does IA provide assurance on risk culture? Various approaches exist for what is a subjective area to measure and report. Some IA teams report based on a culture assessment within each audit; others have opted for specific audits of culture itself: reviewing the organisation’s overall approach to ensuring the right culture is embedded through the business from the top down. Assuring on risk culture is increasingly sought by both the regulator and non-executive directors, for whom information on the behaviours within an organisation is invaluable to the overall assessment of risk management.
How does IA obtain the right skills in the audit team to provide relevant and reliable audit conclusions? Both on process and control effectiveness and also on whether these controls produced an appropriate business outcome. Auditing ‘outcomes’ requires the right skills and experience to challenge highly experienced and specialist business managers. IA is increasingly outsourcing and co-sourcing to bring additional skills into IA; the use of experts from within the business can also bring subject matter expertise but this approach needs to balance independence and objectivity safeguards.
The guidance sets requirements for all IA functions to comply with, but approaches and practices vary, and such variety seems appropriate given the different size and scale of financial services operations across the UK. Key is to demonstrate to audit committees how IA delivers its mandate and reflects the principles of the CIIA guidance in a way that meets the organisation’s individual needs.
For further information, please contact firstname.lastname@example.org.