Introduction
The Building Societies Association represents mutual lenders and deposit takers in the UK including all 46 UK building societies. Mutual lenders and deposit takers have total assets of over £375 billion and, together with their subsidiaries, hold residential mortgages of £245 billion, 20% of the total outstanding in the UK. They hold more than £250 billion of retail deposits, accounting for 22% of all such deposits in the UK. Mutual deposit takers account for 31% of cash ISA balances. They employ approximately 50,000 full and part-time staff and operate through approximately 2,000 branches.
Executive summary
We welcome this exposition of the role and expectations of internal audit, and the invitation to comment on the proposed guidance. We regard it as an opportunity for financial institutions to provide greater assurance where it may not yet be offered. This response covers a range of views from our members.
Like the Committee on Internal Audit for Financial Services (“the committee”) we believe internal audit’s strength is its independence and scope. We recognise the committee’s aim is to promote cultural shift – to move internal audit move away from outcomes and processes to judgement and to position it firmly and openly outside the mainstream business. But in some places we do not consider the guidance is practical or desirable for all.
Cultural shift does not happen overnight; a long period of transition may be necessary if this is to work. While much of the guidance has already been implemented in the mutual sector, there may be other places where it has not. Those particular institutions will hampered by the lack of implementation plan. We do not know either how the regulator will police this guidance, particularly when it is high level principles only. Once the guidance has been revised and the regulator’s actions known, we suggest that there is an appropriate transition – which may be shorter for systemic institutions – for institutions to undertake a detailed gap analysis and with their regulators agree an appropriate course of action and timescale. Necessary action will vary: most of our members, for example, are already operating in a manner broadly consistent with the intended outcomes of the guidance.
A transition period would enable financial institutions to train, where necessary, current internal audit staff, and those from other areas where the institution is of sufficient size. It would also give the Chartered Institute of Internal Audit (“CIIA”) time to consider how best to effect these changes in its qualification and training.
Our overwhelming concern is that the guidance has been written with large, most probably systemic, financial institutions in mind. Indeed, the make-up of the committee and the feedback given at the “town hall” meeting in March only reinforces this. The FSA/ PRA staff said there that they had discussed the proposals with the 20 largest firms – hardly comprehensive coverage. The committee did not engage directly with all the major trade bodies either.
Our members tend to be far smaller than the target institutions. The result of wholesale adoption of this guidance for these and other non-systemic financial institutions would be proportionately higher costs, greater bureaucracy and potentially stifled decision-making. The aims are creditable, however, so we would welcome properly proportionate revised guidance for such institutions; that or a “comply or explain” approach. Precedents for a proportionate regime have already been set by the regulator in, for example, liquidity management and in recovery and resolution plans.
Most of our members have very small audit teams, nothing like those envisaged in the guidance. They may even co-source the more technical areas of internal audit. Others do not have in-house teams at all, they outsource internal audit. We recommend that the committee sets out how it expects the guidance to be interpreted in practice for these institutions and how outsourced and co-sourced internal audit functions can demonstrate that they comply with the spirit of the guidance. There should be no difference in the quality of assurance provided where audit is wholly or partly sourced externally.
Resource is another major concern of our members. Even the largest question where they will source suitably qualified and experienced internal auditors with the skill sets envisaged by this guidance. Their internal audit teams already comprise well qualified individuals but these will need time to develop the more “cultural” aspects of their skills. And where will the costs be recovered – most probably from the consumer.
Unclear still is how the regulator will police this guidance. We need to know how proportionality will be addressed and request confirmation from the regulator that smaller institutions will not be expected to have the same arrangements as systemic ones.
A. Role and mandate of Internal Audit
It does this by assessing whether all significant risks are identified and appropriately reported to the Board and Executive Management; assessing whether they are properly controlled; and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls. The role of Internal Audit should be articulated in an Internal Audit Charter, which should be publicly available.
Feedback – Section A
1. Role and mandate of internal audit
We welcome the move to define more clearly the role of internal audit. Internal audit plays a vital role in an organisation, particularly one that is a “significant UK financial institution”[1]. Its independence should be clear to all. It therefore makes sense for the internal audit function in such systemic firms to have a higher profile. But the proposals are less appropriate for smaller, non-systemic financial organisations, some of which have no in-house internal audit function. In some cases, the risk and compliance functions may be closely related. A set of simpler, high level proposals is needed for smaller financial institutions. Precedents for a proportionate regime have already been set by the regulator in, for example, liquidity management and in recovery and resolution plans.
The fact the committee had no representation from smaller firms and met internal audit directors of large banks and insurance companies only shows where the thinking of the Committee on Internal Audit Guidance for Financial Services committee (“the committee”) lay.
Some of our members do not consider that it is the primary role of internal audit to help to protect the assets[2], reputation and sustainability of the organisation. That is for the board, and the risk management arrangements it puts in place. Internal audit helps the board to discharge its responsibilities by giving assurance that these arrangements are appropriate, and (in practice) effective. Certainly, internal audit can, and should, ask questions of executive management but overall responsibility for decisions remains with executive management.
The de facto positioning of internal audit as a non-executive function is a concern to some. While there is no dispute that internal audit should be fully independent, placing it outside the main business this way could break down trust between internal audit and the rest of the business.
We make two minor points. Firstly, we would like clarification of what “publicly available” in relation to the internal audit charter means. We wonder if this means the organisation as a whole and or the general public (via a website). Secondly, the phrase “properly controlled” is subject to interpretation. We prefer “managed within risk appetite”.
B. Scope and priorities of Internal Audit
In setting its scope, Internal Audit should independently determine the key risks that face the organisation, including emerging and systemic risks, and how effectively these risks are being managed. There should be no impediment to Internal Audit’s ability to challenge the executive and to report its concerns.
Internal Audit should include within its scope the processes and controls supporting strategic decision making, and based on this work, whether the information presented to the Board and Executive Management is complete, accurate and fairly represents the benefits, risks and assumptions associated with the strategy and associated business model.
Internal Audit should assess whether the risk appetite has been established and reviewed through the active involvement of the Board and Executive Management, and is accurately embedded within the activities, limits and reporting of the organisation’s businesses.
Internal Audit should include within its scope the risk and control culture of the organisation. This should include assessing whether the processes (e.g. appraisal and remuneration) and actions (e.g. decision making) are in line with the values, ethics, risk appetite and policies of the organisation.
Internal Audit should consider the attitude and assess the approach taken by all levels of management to risk management and internal control. This should include management’s actions in addressing known control deficiencies as well as their regular assessment of controls within their areas.
Internal Audit should evaluate whether products, services and supporting processes are designed in line with conduct regulation, and the organisation’s customer strategy, values and standards. Internal Audit should evaluate whether the organisation is acting with integrity in its dealings with all customers and in its interaction with relevant markets.
Internal Audit should include within its scope the management of the organisation’s risks relating to capital and liquidity and other regulatory risks.
These events include significant business process changes, introduction of new products and services, outsourcing decisions and acquisitions/divestments. Internal Audit should decide if these events are sufficiently high risk to warrant involvement on a real time basis. In doing so Internal Audit will evaluate whether the key risks are being adequately addressed (including by other forms of assurance, e.g. third party due diligence) and reported. Internal Audit should also assess whether the information being used in the decision making is, to the extent possible, complete, accurate and balanced and whether the related procedures and controls have been followed.
Internal Audit should evaluate the adequacy and effectiveness of the design, as well as the implementation, of the organisation’s policies and processes. As part of this evaluation, Internal Audit should consider whether the outcomes achieved by the implementation of these policies and processes are in line with the objectives, risk appetite and values of the organisation.
Internal Audit should make a risk-based decision as to which areas within its scope should be included in the audit plan – it does not have to cover all of the potential scope areas every year.
In setting its priorities and deciding where to carry out more detailed work, Internal Audit should focus on the areas where it considers risk to be higher, as well as taking into account the wishes of the Board and Board Committees. Both the determination and the assessment should be informed, but not driven, by the views of management or the Risk function.
Internal Audit’s risk assessment should be all-encompassing, taking into account business strategy and objectives and the full range of risks that have an impact on the organisation; combine a bottom up and top down assessment of risk; and take into account potential future or emerging risks on a continuous basis.
Internal Audit plans should be approved by the Audit Committee*. They should have the flexibility to deal with unplanned events to allow Internal Audit to prioritise emerging risks. Changes to the audit plan should be considered in light of Internal Audit’s ongoing assessment of risk. Items removed from Internal Audit’s plans should be reported, with appropriate justification, to the Audit Committee*.
Feedback – Section B
2. We agree that the scope of internal audit should be unrestricted and that internal audit should independently determine the key risks of the organisation. It must be able to examine everything in the business bar the board itself. There should be no impediment to internal audit’s ability to challenge the executive management and report its concerns.
3. Scope
b. Strategic and management information We agree that internal audit plays, and has always played, fundamental role here. Internal audit teams already review this information as part of their audit plans/ individual reviews.
It is important that internal audit does not reproduce the work of the business or the risk function. Instead it should be exercising judgement, investigating any areas it considers high risk and/ or making comments. This delivers far greater value to the board and executive management. It is not internal audit’s role to challenge individual decisions made by the board; rather it is internal audit’s role to review periodically the general adequacy of information provided to the board, and whether the governance structures are working properly.
We understand from the town hall meeting in London in March that the intention is not for strategic management information to be assessed on a strict weekly/ monthly basis but on a risk basis. The wording of the guidance could therefore be made clearer.
d. Risk and control culture The risk and control culture of an organisation is unquestionably important. In the past, weaknesses here have been the cause of many bank failures. But defining an organisation’s risk and control culture, let alone assessing and measuring it, is challenging and time-consuming though possible. Culture could, for example, be assessed by auditing behaviours.
Requiring internal audit to take on this role marks a move away from the function’s traditional fact-based focus. Internal auditors could be supported in this respect by training from the CIIA and/ or a change to the syllabus.
We appreciate that the committee has not mandated the method but suggest the committee provide additional guidance on its expectations on culture, particularly in smaller non-systemic organisations.
e. Customer outcomes Under the three lines of defence model, it is compliance function’s role to evaluate whether products, services and supporting processes are designed in line with conduct regulation. The risk function assesses whether they are in line with the institution’s customer strategy, values and standards. Internal audit, as the third line of defence, then checks independently to provide assurance that the second line of defence has satisfactorily fulfilled its requirements. We therefore request the committee to provide further clarity on the roles of internal audit, risk and compliance and where they should, and should not, interact. Otherwise there is a risk of duplication of work.
f. Capital and liquidity risks The review of capital and liquidity risks are two of a number of significant risks within a financial institution. It is unclear as to why these have been singled out specifically and further explanation is requested in regard to “other regulatory risks”. There is a risk that this wording is taken to imply special treatment of these areas over others and we do not believe that this is appropriate, or indeed intended.
g. Key corporate events We agree that it is internal audit’s decision if it should become involved on a real time basis in these events. In these cases, IA should have access to all the information used in the decision-making process and be able to form a view. Overall responsibility for these decisions lies with the executive management.
h. Outcomes of processes We agree that internal audit should evaluate policies and processes as part of the normal audit cycle of reviews and be agreed by a board committee. Assessment of adherence to values presents a challenge given its potentially subjective nature but is an important part of internal audit’s work.
4. Prioritisation of audit work
We agree that work priorities should be based on risk and take into account directions from the board and board committees, and that these should be informed, but not driven by, the views of management or the risk function.
5. Risk assessment
No comment.
6. Internal audit planning
We agree with this process. Many institutions follow this model already. The key is to allow internal audit flexibility to deal with unplanned events.
C. Reporting results
Feedback – Section C
7. This is established practice in many financial institutions. Internal audit is already a key participant at meetings of audit committee and to a lesser extent, at risk committee. With the latter, however, there is a risk that the internal audit and risk functions will end up reporting to the same committee when many institutions have separated this line of reporting. Indeed, one of the concerns with this guidance is the potential overlap/ confusion between risk and internal audit functions.
There needs to be greater clarity and guidance on the respective roles and responsibilities expected of the audit and risk committees. This applies also to the dual reporting that appears to be recommended and could lead to duplication. Otherwise internal audit could end up reporting the same, or similar, information to different committees which may have a substantial element of shared membership and attendance. For smaller internal audit functions, it is also important that the time spent on reporting to committees does not detract from the time spent completing assurance work.
8. The reporting outlined here represents good practice for systemic financial institutions. For those non-systemic, in particular very small, financial institutions, some proportionality should be introduced. Examples would be the degree of assurance on point 3, the view of management’s reporting on the risk management of the organisation and the assessment of the effectiveness of the governance and risk and control framework. In non-systemic and smaller financial institutions the internal audit function may not be resourced to carry out these roles to this extent. In some cases, audit and risk may share reporting lines meaning they could end up assessing activities in which they had had a role.
D. Interaction with Risk Management, Compliance and Finance
Feedback – Section D
9 - 11. Clearly, internal audit should not be part of the finance function. That would compromise its independence and integrity. It is also not desirable to have risk management and compliance coupled with internal audit in larger, particularly systemic, financial institutions. That fractures the three lines of defence model. But in small financial institutions there may be cross over, for example in reporting lines of risk and compliance. It may not always be possible for internal audit to only rely on work from other areas after it has evaluated the work. We therefore propose that some flexibility is introduced in this section for these smaller institutions.
One point we wholeheartedly support is that internal audit should not rely exclusively on the work of risk management, compliance or finance. To do so would jeopardise its professionalism and voice of independence.
Perhaps a more appropriate interpretation would be a wider principle ie internal audit is independent from the running of the business and the first and second lines of defence.
E. Independence and authority of Internal Audit
Feedback – Section E
12 and 13. This is a prime example of the cultural shift that will have to take place in some financial institutions. It has been the cause of much discussion. The chief internal auditor has not always been seen as an executive level appointment in some financial institutions. These proposals make clear that this will have to change. We agree – up to a point. We believe that this requirement must first and urgently be implemented by systemic financial institutions but subject to longer transition for all others. It is worth pointing out that an internal auditor in one of the societies where this is already the norm has been criticised by the regulator for being “too close”. Such conflicting directions are not helpful.
Progress in recognising the increased authority of internal audit is being made in financial institutions. We know that many chief internal auditors in the building society sector, for example, already attend executive committee meetings for the duration. Over the financial services sector as a whole, however, such a change may not be instant.
The aim of the chief internal auditor’s attendance at executive committee meetings should be clear – it is to provide input on risk and control only. Our view is that the chief internal auditor should already have an understanding of the business – we argue that s/he could not do his/her job without that. We agree that internal auditors should not vote; decision making is for the board alone.
We understand why the committee made the comment about the seniority of subsidiary and divisional heads of audit – again to raise the profile of internal audit – but it is relevant only to the mainly systemic financial institutions.
On a minor point, we suggest the executive committee is defined as not all institutions use this term.
14. We agree that internal audit should have sufficient and timely access to key management information and a right of access to all of the organisation’s records, necessary to discharge its responsibilities. This should be the case in financial institutions already.
15. The CIIA[3] suggests that independence may be achieved through a dual reporting relationship ie through the board for functional matters and the chief executive for administrative matters. The committee proposes that the chief internal auditor reports to the chairman of the board, or to the chairman of the audit committee or, exceptionally, the chairman of the risk committee, so long as the latter comprises exclusively non-executive directors. There is no real divergence but no split in reporting lines either. A split would reinforce internal audit’s position in the business - independent but still a part of it.
16. In systemic financial institutions it is reasonable for the audit committee to appoint and, if necessary, remove him/ her from post. In other non-systemic institutions, there may not be the resource to do this. Therefore we suggest that the guidance be amended for these bodies to say that the audit committee should be involved in these decisions only. How, and to what extent, it is involved is left to the discretion of the board of the institution.
17. We believe that the responsibilities are the wrong way round here, for all institutions. The chief executive should set the objectives of, and with, the chief internal auditor but must take into account the views of the chairman of the audit committee. Clearly, the chairman of the audit committee must be involved in the objective setting but the chief executive has an arguably equally strong role to play.
18. We agree with all the recommendations on remuneration except the first. We do not believe that the chairman of the audit committee as a non-executive director is in a position to recommend the remuneration of the chief internal auditor. The chairman of the audit committee will not necessarily know, for example, the details of all senior management’s responsibilities and remuneration packages (or other staff’s). But we do believe that the chief executive should agree broad principles in advance with the chairman of the audit committee.
Remuneration of the chief internal auditor should not be linked to the short term performance of the institution. We agree. Short term performance could be assessed in terms of financial performance, compliance with regulation, customer service or other business objectives. Confirmation that this paragraph does not just relate to annual profits would be helpful. Also some guidance on what remuneration should be linked to would also be of assistance.
Another argument is that internal audit should have its own incentive/bonus scheme (if it has one at all). This will, of course, have an impact on base salaries in the market.
On a minor point, we would like to know if the proposal relates to setting remuneration on appointment and/or at the annual review.
19. No comment. The vast majority of our members have small audit functions and no overseas operations. This paragraph appears to be written with international, systemic financial institutions in mind.
20. Mandatory rotation of the chief internal auditor poses significant problems, not least contractual. Current incumbents cannot simply be dismissed because the institution wishes to engage another, ostensibly more independent job holder. Equally important is the fact that chief internal auditors need to be in post a number of years before they are fully familiar with the business and its systems and culture. Some of our members argue that a long time in post gives them a better insight into potential risks and therefore a greater confidence to question management.
To set terms for the chief internal auditor would force a move to fixed term contracts. Towards the end of the contract, it is possible the chief internal auditor would be less engaged, concentrating his/her energies on the next move.
But we do agree that the audit committee should take steps to be assured that the chief internal auditor (and by implication, divisional and subsidiary heads of internal audit) remains independent and objective, say through an effectiveness review. This can be done without mandatory rotation. If that were introduced, recruitment and retention of senior internal auditors in all financial institutions would become difficult.
21. A secondary reporting line to the chief executive officer may indicate an elevation in status for the chief internal auditor in some institutions (some of our members already operate this model). This will include a reassessment of the post holder’s remuneration package, and possibly an increase in costs for the financial institution. This elevation is necessary as the chief internal auditor will have the same seniority as the rest of the executive committee.
Such a significant change cannot be effected overnight, particularly in non-systemic financial institutions. There is, for example, only a limited pool of suitably qualified and experienced senior internal auditors. We therefore propose that this requirement is brought in over a period of time for non-systemic financial institutions but only a year for systemic institutions.
F. Resources
Feedback – Section F
22. This is the main challenge of the guidance. Some financial institutions will be expected to put in place larger, more senior and more experienced internal audit teams. While systemic institutions may be better able to absorb the costs, use co-sourcing and/ or arrange secondments, non-systemic institutions are not always resourced to do this. Even if they were to find and pay for the right staff, there is a danger they would not stay as they may not be kept sufficiently occupied. Secondments are difficult too in smaller institutions as that would leave a gap in another area, for example, risk. We do, of course, recognise that this challenge is driven by as much by current expectations of audit as by the demands of the guidance.
This guidance could be seen as setting up a different type of internal auditor to that currently regulated by the Chartered Institute of Internal Auditors. The internal audit qualification is universal – any country, any sector, any size. That is why the institute’s standards are not industry-specific. It would therefore be helpful to know how the institute is going to integrate this guidance. Will internal auditors in UK financial institutions be obliged to take different/ additional qualifications or is the intention that there will be supplementary guidance only for IAs in FIs? If it is the former, an indication of timing would be helpful.
23 and 24. We agree that the chief internal auditor should provide the audit committee with an assessment of the work and skills required to carry out the work needed either on an annual basis or when there has been significant change.
Ownership of the internal audit budget is less clear cut. We understand why the committee sees this as the province of the audit committee as internal audit is independent of the rest of the business. Problems will arise, however, if the audit committee proposes a budget that is out of step with the rest of the institution. As members are all non-executive, they cannot be expected to know all the workings of the institution. A more appropriate action would be for the audit committee to comment on a budget proposed by the executive.
But we do agree that internal audit staff should inform the audit committee of any concerns over resources and that the audit committee should then act on those concerns. This might involve informing the board and requesting a reallocation of resources. In practical terms it might mean the engagement of external/ guest auditors for one or more projects.
25. We do not object to the notice in the annual report on resourcing of the internal audit function but consider it adds little of substance. We are mindful of the recommendations of the Accounting Standards Board’s 2011 publication on cutting clutter in annual reports.
G. Quality assessment
Feedback – Section G
26. We agree that the audit committee should identify appropriate performance criteria for the internal audit function but consider delivery of the audit plan to be the most important element of the appraisal.
27. We expect the internal audit function to maintain and update a set of policies and procedures. That is core to the professionalism of internal audit. The performance and effectiveness measures, arguably more challenging, are important and should reflect the size and nature of the institution.
28. Internal audit functions of sufficient size are to develop a quality assurance function. No guidance is provided on the size considered to be sufficient and as a result this will be open to interpretation. While the principles articulated are sound, it will be difficult for smaller functions to adhere to these requirements and in particular those relating to independence. Compliance is therefore likely to be on a best endeavours basis. If this proposal is adopted, even in part, the regulator must take note – one of our smallest members has been told to develop a greater QA process.
29. The Chartered Institute of Internal Auditors’ standards state that an independent external assessment of the internal audit function should be carried out every five years. We suggest that this period replaces “at appropriate intervals”. We are not clear why there is a difference in this guidance.
To require the chairman of the audit committee to oversee and approve the appointment process for the independent assessor is appropriate for systemic financial institutions but in non-systemic ones we suggest the chairman should be able to delegate part of the process to another non-executive.
H. Relationships with Regulators
The Chief Internal Auditor, and other senior managers within Internal Audit, should have an open, constructive and co-operative relationship with regulators which supports sharing of information relevant to carrying out their respective responsibilities.
As a significant influence function, the Chief Internal Auditor must fully comply with the relevant provisions of the Statements of Principle and Code of Practice for Approved Persons, the UK Corporate Governance Code, and other obligations specific to Internal Audit as set out in the relevant regulator’s handbook.
Feedback – Section H
30. The chief internal auditor already works closely with the regulator so this part of the guidance merely formalises the current position. But we caution against any further attempts to deepen this relationship otherwise internal audit could be perceived as an arm of the regulator rather than an independent part of the business. To maintain this independence some of our members argue that the regulator should receive information prepared by internal audit through executive management. This was considered more appropriate and ethical.
Any reviews by the regulator need to be undertaken by experienced and suitably-qualified staff. These reviews should not be a box ticking exercise. All reasonable financial institutions want an effective review by the regulator so the board can be assured as to the effectiveness of internal audit – but they do not want a tick box exercise.
31. We note that the UK corporate governance code will need updating to take account of the changing role of internal audit.
I. Wider considerations
Feedback – section I
32. We agree that board committees and senior management should set the right tone for the acceptance of internal audit. A possible stumbling block, mentioned in the March “town hall” meeting, is that some senior figures in the wider financial services sector are not fully aware of the proposed changes contained in this guidance. Our experience is that this is not the case in the mutual sector, however. Many of our members already operate in a manner broadly consistent with the intended outcomes of the guidance.
Our proposal is that the guidance is rolled out to systemic institutions first and then, suitably amended, to non-systemic institutions over a longer period. That would give all institutions time to absorb the significance of these reforms and engage with the CIIA and regulator as necessary.
33. Additional guidance for board audit and risk committees on the enhanced role of internal audit may be necessary to implement this guidance effectively. This will help to avoid potential committee duplication. We would suggest that when this guidance is finalised, copies for those committees should be made available.
* In the interest of simplicity and clarity, this document has assumed that Internal Audit’s primary reporting line is to the Audit Committee. Please refer to recommendation 15 for the Committee recommendation relating to Non-Executive reporting lines.
[1] “However these [current] standards are not industry specific and in particular do not meet all the current expectations of internal audit in significant UK financial institutions” paragraph 4 of covering letter from Roger Marshall, chairman of the committee.
[2] But not the liabilities? Liabilities for building societies in particular mean the savings of individual members. Societies are required to protect their interests.
[3] Practice Advisory 1110-1:Organizational Independence