Many well-known banks are paying billions of dollars to settle allegations of a wide range of wrongdoing. Directors at all financial institutions would be wise to ask how these things could happen without internal controls preventing or timely detecting them. Is there a systemic weakness in internal controls that could also affect your institution? Studying The Institute of Internal Auditors’ (IIA) last Global Audit Survey in light of recent events suggests there is such a weakness and that it impairs 62 percent of the internal audit functions in the financial services industry.
So what’s the issue? Essentially, an alarmingly high proportion of internal audit functions are failing to comply with the “International Standards for the Professional Practice of Internal Auditing,” which set out basic requirements that the IIA considers essential for an internal audit function. The IIA mandates that members comply fully with its Standards. Failure to do so is a violation of the IIA’s Rule of Conduct 4.2.
This is not just a paperwork issue: it is substantive and affects the quality and reliability of internal audits. According to the IIA’s Global Internal Audit Survey, last conducted in 2010, only 38 percent of finance industry chief audit executives self-reported that their internal audit function complied fully with the IIA’s quality assurance standard, AS 1300: Quality Assurance and Improvement Program. Self-reported compliance with other IIA standards was higher, but still worryingly short of what investors, regulators and bank directors might reasonably expect. Only 60.6 percent of chief audit executives said they complied fully with PS 2600: Resolution of Senior Management’s Acceptance of Risks. This standard requires them to inform the board of directors if management failed to resolve risk-taking that the chief audit executive believed to be excessive—an extremely important issue for directors.
Looking at two of the simplest, most basic standards, while 76.1 percent complied with AS 1200: Proficiency and Due Professional Care, that still means that nearly a quarter of internal audit employees in the finance industry apparently operated without the skills necessary to do their job properly or failed to conduct their work with appropriate care. For AS 1100: Independence and Objectivity, chief audit executives self-reported 83.4 percent compliance, suggesting that one-sixth of internal audit departments in finance failed to meet the requirements to be independent and objective, a fundamental tenet of auditing.
I have many friends who are internal auditors whom I respect highly, yet the internal audit profession has allowed the IIA standards to be widely disregarded without disciplinary consequences. This situation has been going on for years, is well-known within the internal audit profession, but has not been well communicated to the broader financial community.
In addition to putting their reputation at risk, bank directors who allow such noncompliance to occur at their financial institution may expose themselves to allegations of negligence and breach of their duty of care.
Actions You Can Take
Some actions you can take to help your bank deal with this issue are:
- Ask your chief audit executive whether the internal audit function operates in full compliance with all IIA standards. If it is not, ask why and whether there’s a plan to come quickly into compliance. Probe, with professional skepticism, any negative responses.
- If there is noncompliance, identify potential legal, regulatory, financial and reputational risks, as well as the potential impact on the effectiveness of the entity’s enterprise risk management.
- Work with your chief audit executive, chief financial officer, chief executive officer and board chair to implement any appropriate changes to bring your bank’s internal audit promptly into full compliance with all IIA standards as a minimum level of quality. Going beyond the minimum standards may also be necessary for more sophisticated entities and those with high risks.
Internal audit is a key internal control for preventing and detecting major fraud and other wrongdoing at banks. Customers, investors and other stakeholders can reasonably expect bank directors to ensure that their internal audit functions meet, or exceed, IIA standards. Bank directors can help internal audit get sufficient moral and financial support from management and the board to comply fully with IIA standards