The Basel Committee’s guidance document — The internal audit function in banks — was issued in June of this year. While supervisory guidance documents are primarily directed at national banking supervisors, nevertheless they remain highly relevant to individual banks as supervisors, including APRA, move to address the principles and recommendations of the document. In this respect, APRA wrote to banks on 2 August 2012 to draw to the attention of CEOs the release of this revised guidance and also to advise that APRA will consider how to incorporate it within its prudential standards.
Of course, individual banks' responses to the Basel Committee document and any subsequent APRA initiatives on internal audit should not be driven solely by compliance considerations: a robust and independent internal audit function is an important underpinning of good corporate governance and the institutionalising of effective risk management policies and practices.
The latest document builds on the proposed 'headline' principles contained in the earlier consultative document released in December 2011, mainly by extensively rewriting the supporting interpretation of the 20 principles concerned.
Among the most significant of these changes is a clear statement that a bank’s internal audit function should develop an independent and informed view of the risks faced by the bank based on its access to all bank records and data, its inquiries and its professional competence. Previous 'woollier' references about providing consulting services on the development of internal controls and acting as a ‘trusted adviser’ in such matters to senior management have been excluded from the final document.
The final guidance document now also states that when the risk management function has not informed the bank’s board about a serious divergence of views between itself and senior management about the levels of risk being faced by the bank, the head of internal audit should inform the board about the divergence of views.
Other important elaborations or additions to internal audit principles include:
- a definition of the 'three lines of defence' model for risk identification, management and independent review (this is the first BIS paper to really provide such a definition)
- the conduct of the internal audit function within a group or holding company structure
- internal audit staff rotation issues
- the scope of internal audit activities
- responsibilities of board audit committees
- communication between the supervisory authority and the internal audit function.
According to the guidance document, the head of internal audit should be given explicit responsibility for:
- the quality of internal audit staff
- ongoing training of staff
- managing the use of external resources to ensure objectivity and independence
- ensuring outsourced internal audit experts should not provide consulting services to any function of the bank they have recently audited.
KPMG believes board audit committees should in the first instance request that a formal gap analysis is prepared in order to assess the internal audit function against the guidance. Charters should be formally reviewed against the Basel Committee’s final principles including its emphasis on the ‘right skill sets’ which may require a significant investment in upgrading existing internal audit capabilities.
Internal Audit functions should consider performing a gap analysis in relation to these new requirements together with an action plan to remediate any gaps identified. A summary by KPMG outlines the key impacts for banks.
However, perhaps the most important underlying message of the Basel Committee’s document is that the expectations of the internal audit function have been significantly raised in terms of its professional objectivity and independence, coverage and its skills. That alone should give board audit committees plenty to chew on.