The consultative document aims to provide guidance to supervisors on assessing the effectiveness of banks’ internal audit functions. These assessments form part of the supervisory review of the effectiveness of risk management frameworks and governance structures of authorised deposit taking institutions (ADIs), and consequently the intensity of supervisory work and requirements. In the Australian context, APRA addresses this through the methodology of its supervisory oversight and response system (SOARS).
The document takes into account latest developments in supervisory practices and in banking organisations such as the Principles for Enhancing Corporate Governance released in October 2010. It also looks to incorporate some of the recent lessons learned from recent financial crisis.
Whilst the consultative document continues as a statement of principles and supporting explanations it is clearly attempting to cover the intervening introduction of the Basel II Framework and subsequent revisions to it; the proposed expectations of the Basel III Framework; and the experiences of the GFC. These have caused a reconsideration of what constitutes an effective risk management and governance structure, and an effective supporting internal audit function.
The consultative document has been significantly restructured and principles reordered, making direct comparison difficult. To assist, we have highlighted the key changes proposed and the potential impact on internal audit functions for Australian ADIs are:
- The consultative document appears to take a stronger stance in relation to the independence of internal audit in a number of its principles, such as Principal 2 reference to the remuneration of internal audit. The paper highlights remuneration if linked to the financial performance of the bank as a whole may undermine independence of internal audit. Similarly, under Principle 10, the oversight role of the audit committee is expanded including being solely responsible for approving the audit plan.
- The revised consultative document expands on internal audit’s role in coverage of regulatory matters. While this is in line with APS 310 which already requires internal audit to review the policies, processes and controls put in place by management it has expanded on the principles set out in the 2001 paper to specifically call out internal audit’s role in reviewing stress tests on capital, the reasonableness of scenarios and assumptions and the reliability of processes used. In addition banks’ systems for monitoring liquidity are also required to fall under internal audit’s purview (Principles 6 and 7).
- The consultative document explicitly recognises the role of the three lines of defence and deals in detail with the relationship of internal audit, compliance and risk management. Although the 2001 paper recognised reliance on the work of other departments this was only a limited reference (Principle 13).
- The relationship between supervisors and internal audit has been significantly expanded. In particular, considerable attention has been paid to the communication between these two groups and the need for greater sharing of information. Importantly there is a recognition that this is a two way relationship and that supervisory authorities should consider sharing relevant information with internal audit (Principle 16) and makes reference to this being in the same way as the audit committee is informed.
KPMG has a dedicated Internal Audit, Risk & Control Services group focused on financial services and the banks. If you would like to discuss any material covered by the consultative document or any internal audit related matter, please contact us.