Internal audit reporting – keeping a finger on the pulse

The role of internal audit (IA) continues to develop within the financial services sector. The key drivers behind this is an effort to embed practices in line with the CIIA guidance for the sector and to deliver the most value to stakeholders through assurance to the Audit Committee and practical improvement ideas to executive management.

One key area of change is the way IA reports. Traditional methods of reporting, i.e. findings and recommendations from the testing of controls over a period in time, is giving way to more forward looking and judgmental reporting across a range of areas, for example:

  • Change activities – for example, the feasibility of digital transformation programmes.
  • Culture and business conduct – whether the conduct of business and risk culture is aligned to firm’s brand beliefs and values and meets regulatory requirements.
  • Customer outcomes – not just the effectiveness of governance and controls over a process, but whether the customer outcome is appropriate and fair as a result of these controls.
  • Strategy – the role of IA in relation to strategy and decision making remains an ambiguous one in practice but, under the CIIA guidance, an onus is placed on IA to develop an appropriate role on assuring and reporting on key strategic decisions. Often this is achieved through the review of MI and governance surrounding strategic decision making.
  • Governance and risk management – a forward looking view from IA on whether the approach to governance and risk management is robust and reliable to identify and appropriately mitigate future risks facing the business.
  • Continuous monitoring – for example oversight of change projects, ‘BAU’ key governance meetings or the use of data analytic and computer assisted audit tools to inform IA reporting. For continuous monitoring to be effective, it is essential to define the role of IA and avoid ambiguity on IA’s role relative to second line of defence. It is important also to ensure opinions are reliable: to ensure this continuous monitoring is becoming more formalized and methodical.
  • Issues remediation – whether management action plans in relation to control gaps is sufficient, timely and appropriate.

Practices vary across the industry, as would be expected from a principles-based requirement. Increasingly common is the annual assessment report, through which many of the above topics are covered through a more holistic assessment report to identify and present trends, themes and root cause analysis.

With our in-depth sector knowledge and deep systems and controls experience we are well placed to help support internal audit functions through these changes. We can provide internal audit services on a fully outsourced or a co-sourced basis, enabling you to achieve the right level of support for your organisation. Our internal audit teams have extensive experience of working in the financial services sector, but we don’t take your business model for granted. We begin every internal audit assignment by building a real understanding of your business. In this way we can focus out work on your key risks, applying creative thought to target our effort as efficiently and effectively as possible.

For further information, please contact Ian Gardner.