Skip to main content
  • This website sets cookies on your device. To find out more about how we use cookies please refer to our Privacy and Cookie Policy. By continuing to use the site, we’ll assume that you are content for us to set these on your device.
  • Close
Home > News and Publications > Internal Audit and supervisory expectations – building on progress - speech by Sasha Mills

Internal Audit and supervisory expectations – building on progress - speech by Sasha Mills

05 February 2016

​Given at Ernst & Young, London on 3 February 2016



Hello, and thank you for the opportunity to speak on this key area of interest to regulators.  We are aware that Ernst & Young is a supporter of the CIIA Guidance and a promoter of it through this event and secretarial support of the Group that produced the Guidance.
As you know, the PRA very much welcomes the Industry Guidance that the IIA issued in July 2013. 

Andrew Bailey said at the time that the guidance:
“Raises the bar for Internal Auditors with the explicit acknowledgement that their primary role is to help protect the assets, reputation and sustainability of the organisation”.
When reading your recent survey, and re-reading the Guidance in preparation for today, my eye was drawn to the survey’s subtitle ‘surfing the wave’ and to a number of other oceanographic references.  (I would like to draw on that metaphor in my comments).  Looking back at where Internal Audit functions were pre-crisis, a tsunami of change was required to raise standards.
With apologies for reminding you all of it, but I’d say that our overwhelming impression of Internal Audit functions in Banks and Insurance Companies at the time of the Financial Crisis was that they were not sufficiently influential and not sufficiently relevant within their organisations. 
Too often we felt that Internal Auditors were able to claim that they had provided “reasonable assurance” and yet the fact that their organisation was in trouble was apparently nothing to do with them.  Even more worryingly, this view was often shared by Audit Committees, CEOs and even supervisors.
And to be honest, we felt that this “comfortable irrelevance” was insufficiently challenged by the IIA’s definition of Internal Audit as an “independent, objective assurance and consulting activity designed to add value and improve an organisation's operations.”
Internal audit is important to the PRA as we are fundamentally concerned with ensuring the safety and soundness of the financial system, which is in large part driven by the safety and soundness of firms.
A good Internal Audit function, along with finance and risk management, supports and challenges the management of firm-wide risks.  By supporting good governance, this in turn helps to protect the organisation.
(Protection is a concept I will return to later).
Expressing independent views within the firm on the appropriateness of the level of risk being run and the adequacy and integrity of the associated governance, risk management and financial and other control arrangements is a key responsibility of Internal Audit.
By providing independent challenge and opinions across the business Internal Audit should be an invaluable resource to management and the Board and crucially to possess sufficient authority to offer robust challenge to the business. Independence of reporting line is essential to achieve this.
With these responsibilities comes accountability. In future Head of Internal Audit will be one of the Senior Management Functions for which PRA approval with FCA consent is required. The inclusion of the Head of Internal Audit as a PRA senior manager was a deliberate decision to place greater focus and clarity on the importance of Internal Audit compared to the old Approved Persons Regime, where Internal Audit sat under the umbrella responsibility of Controlled Function 28 - Systems and Controls.
Under the Senior Managers and Senior Insurance Managers Regimes, Internal Audit has its own definition which in turn sets out the key regulatory responsibilities of the role.  These responsibilities are inherent in the role of the Head of Internal Audit and are seen as an integral component of safety and soundness.  They include the overall responsibility for the day-to-day management of Internal Audit and accountability for reporting to the Board, and/or the Audit Committee.
Where have we come from?
Pre-crisis Internal Audit
As with many areas where we need to make improvement, it is useful to look back to the financial crisis, and specifically to the HBOS report, issued by the PRA and FCA late last year, to give an idea of where Internal Audit was, and why it needed to change.
At first sight, the role of Internal Audit within HBOS seemed to be positioned correctly – it “provides independent, objective assurance to Executive management and the Board as to the internal control environment in the Group and the operation of the risk management, control and governance processes.”
A key part of its role was to “undertake a comprehensive programme of Internal Audit activities which supports HBOS Group in relation to good corporate governance and regulatory requirements in all jurisdictions in which the Group operates”.
But Internal Audit was not fully effective in HBOS. The report states that, “While group Internal Audit may have discharged many of its responsibilities during the Review Period in line with its remit, the Review, however, considers the decision to exclude credit decisions from its scope to be a mistake. A stronger group Internal Audit function might also have had greater influence on the businesses and been able to strengthen the control environment rather than observing, as it did, its deterioration.”
What wasn’t right?
First, there was a lack of clarity about the roles and authorities of different functions, specifically the respective responsibilities of the parts of the second and third lines of defence. That is, between the risk and Internal Audit functions. 
Second, the line management of Internal Audit by the group finance director created a potential conflict of interest. 
Third, there is evidence to suggest that Internal Audit did not have the capability to appropriately challenge the business, whether through not having sufficient authority or having a lack of understanding of the business.
Fourth, Internal Audit’s work should have been linked more to group risks, and in particular to emerging risks – ‘looking beneath the surface’ and;
Fifth, the function may also have been insufficiently staffed. And it was not viewed as part of a mainstream career path within the organisation, affecting its ability to attract and retain talent.
Post-crisis changes
Although the HBOS report discusses Internal Audit, throughout the financial crisis the role of internal auditors in general within banks and insurers has received relatively little scrutiny.
I referred earlier to ‘comfortable irrelevance’. We were particularly pleased to see that the UK Chartered Institute of Internal Auditors took a global lead in attempting to define the primary role of Internal Audit in the Code (in financial services at least) as being “to help the Board and Executive Management to protect the assets, reputation and sustainability of the organisation”.
I’m afraid that may make your lives rather more uncomfortable in the hopefully unlikely event that your organisation gets into serious trouble. But we hope that it will help to make your day jobs very much more interesting and rewarding.
The Financial Services Code covers many of the areas I’ve talked about regarding HBOS. For example, it says that the head of Internal Audit should report to the Chair of the audit committee. The audit committee Chair should be accountable for setting the objectives of the Chief Internal Auditor and appraising her or his performance. In addition, the Chief Internal Auditor should ensure that the Internal Audit function has the right skills and experience, and should report on this annually to the audit committee.
I’m pleased to see from your survey that now nearly three quarters of the heads of Internal Audit are line managed by the audit committee Chair (up from half in 2013). The survey also reports that more than 40% of you have seen an increase in the number and seniority of your staff.  (I’d also add that we see that nearly half of you don’t have regular meetings with your regulators and we hope this can improve going forward).
We welcomed this framework and believe that it is a key stage in moving towards a high quality and effective Internal Audit function.
We recognise however that full implementation requires strong support from audit committees, executive management and the Board and we will be looking to them to demonstrate this.
The regulatory framework
I want to turn now to what we as prudential regulators expect. I’ll focus on the guidance for banks, though I’d note that guidance has also been issued by EIOPA reinforcing similar/the same messages.
Internal Audit is part of the Basel framework that underpins bank regulation in the UK. Not only is its need discussed in the core principles, but Basel published separate Internal Audit guidance. That guidance includes statements on Internal Audit’s independence and unrestricted scope.
From a regulator’s point of view, as well as being interested in a high quality Internal Audit function contributing to the overall governance of the regulated firm, we use Internal Audit as part of our supervisory process. Indeed, principle 7 of the guidance says that, “The scope of the Internal Audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan”.
We also are required by the Basel Core Principles to “regularly assess whether the Internal Audit function has sufficient standing and authority within the bank and operates according to sound principles”.
So what happens in practice?
In the UK, we engage with and assess the effectiveness of firms’ Internal Audit functions and, in some circumstances, use your work as part of our supervision.
Under the PRA’s continuous assessment of a firm, the supervisor evaluates an insurer or bank’s Internal Audit function.  Our staff meet with the Internal Audit function periodically, review audit reports and seek to understand how audit findings have been addressed. 
The assessment of Internal Audit may influence the PRA’s overall assessment of the firm and can affect the assessment of the risk management and controls element within the PRA risk model.
Where we feel we can rely on an Internal Audit function’s work, we may use firms’ Internal Audit to identify and measure risks. For example, at the PRA’s request, smaller UK banks’ Internal Audit functions recently carried out a review of certain lending activity.
As I have already mentioned, from March this year, the Head of Internal Audit will be a Senior Management Function under the SMR and SIMR. Individuals applying for this role in PRA-regulated firms will need to be pre-approved by the PRA in consultation with the FCA. In assessing whether to pre-approve the individual for the role, the PRA will perform an assessment of their fitness and propriety, which will include the individual’s competence and capability to carry out the role taking into account areas such as her or his qualifications, training and competency.
Employees in scope of the Certification Regime will not be subject to regulatory pre-approval, but will be required to be assessed and certified as fit and proper to perform their roles by their firms at least annually.  In many firms, the Certification regime will cover individuals reporting into the Head of Internal Audit, such as individuals with managerial responsibility for Internal Audit in a significant business unit of a bank.
Both the Head of Internal Audit and any of his or her direct reports subject to the Certification Regime will be subject to individual conduct rules, including a requirement to be open and co-operative with the regulators; a requirement which we take very seriously. The conduct rules will apply in addition to the Fundamental Rules which impose similar obligations on firms as a whole as a condition of authorisation. 
It should be clear, therefore, that we continue to attach significance to Internal Audit and want to ensure that the head of Internal Audit is properly accountable.
Here I have been talking about individual accountability but we also view it collectively.  We will be considering the protection afforded to Internal Audit to carry out its role effectively when we assess governance and look at the effectiveness of the Audit Committee, whose chair will also be required to be approved by the PRA and FCA.
Scanning the horizon
What is the role of Internal Audit for financial services firms going forward? In our view, its importance can only increase. Let me give you two examples:
Solvency II requires the internal models of firms to be subject to a regular cycle of model validation. This includes performance, stability, accuracy and completeness of data. It may be that Internal Audit has a role to play in this validation process.
The Institute of Chartered Accountants in England and Wales recently published a discussion paper on potential assurance of bank regulatory capital reporting. Thinking and practice will undoubtedly develop in this area. There is at least some interest in assurance over model governance and control. Any assurance that results may well be provided by Internal Audit instead of or as well as by external providers.
What does good Internal Audit look like?
So that’s the state of play as we stand in terms of what we expect and how we work with you. And as I said, we expect the role of Internal Audit to increase in the future.
So that leads me to the important questions of: What does a good Internal Audit function look like? And what are we really looking for? I would make a few points here.
Look ahead – we want you to be scanning the horizon for emerging risks – be proactive and looking at where the business is going rather than assess what has already happened.
You should be assessing whether these risks are being managed by the organisation in terms of what they mean for the internal control environment and helping to ready the organisation for new threats and opportunities.
Think broadly – think about the firm’s culture. We don’t mean that it is the role of Internal Audit to perform culture audits. The key is that Internal Audit should bear culture in mind when conducting your work. Don’t look at each assignment by itself. Rather, think about what the results of all your pieces of work tell you about the culture and management values of your firm.
Work with us – you should be sharing of areas of interest with supervisors so that we can be aware of what Internal Audit considers to be the risks, and so that Internal Audit can direct its work to the areas of risk that we’re interested in.
Be independent – we need you, in line with the Code, to be independent and able to provide challenge as well as assurance.
Have the right people – insurers and banks are becoming ever more complex, and the Internal Audit function needs to have the right skills and expertise to be able to probe and challenge all areas of the firm with authority.
Know where you stand – we expect you to really push within your organisation to ensure that you are fully compliant with the Code – three years on, we expect you to be meeting all of its requirements. It’s not unreasonable to assume that your supervisor might ask your audit committee Chair for their assessment of your function against the financial services code.
Continuing to build on the progress made
At the PRA, we believe that the financial services code has undoubtedly had a positive effect. For example:
Access to information appears to have improved, with Internal Audit now having much improved attendance at key governance forums and access to associated papers.
Internal Audit’s standing and reporting lines have improved, with it now being much less likely that Internal Audit reports to Finance or Risk.
Resourcing in terms of overall headcount also appears to have increased generally across the industry, although there probably remains further to go and quality remains an issue particularly in specialist areas. And if you are outsourcing any of your functions, you need to continue to be responsible.
But we do think there is further to go?
Although standing has improved, the status of Internal Audit, which has a massive impact on your ability to recruit the right people, could still be improved.
There is a concerning view, which sometimes surfaces, that compliance with the code is sufficient. We believe it is necessary but not necessarily sufficient as effectiveness of the Internal Audit function depends upon the quality of coverage, appropriate challenge, follow-up and escalation to ensure optimal impact. All of this is highly judgemental (e.g. is something high risk or medium risk?) and can only be assessed on a case by case basis.
Historically we have found that major issues identified by the PRA have not been identified by Internal Audit.
As I said at the beginning, the support of, and challenge by, audit committees is key to an effective Internal Audit function. There is some way to go for the members of audit committees to have sufficient Internal Audit knowledge, and we see that they therefore sometimes struggle with their responsibilities in terms of overseeing Internal Audit.
So I’ve talked about the position of Internal Audit pre-crisis, changes that have been made since then, our approach as regulators and what we think is good and where improvements can continue to be made.
I hope you’ve found these observations useful.
'Surfing the wave’, especially one from a tsunami, takes great skill, flexibility and courage – raising the standards of Internal Audit is in all our interests.  As supervisors we stand ready to support your efforts to step up to the mark. 
Thank you