In its most recent Supervision Newsletter, the European Central Bank (ECB) published an article outlining examples of good practices in banks’ internal audit functions that it has observed during extensive reviews over the past few years.
The internal audit function performs a crucial role within a bank given its responsibility for independently evaluating the quality and effectiveness of a bank’s risk management, internal controls and governance processes, and providing objective assurance that the bank’s activities and functions comply with applicable legal and regulatory requirements. The ECB’s observations on good practices will provide banks with the opportunity to consider if enhancements to their respective internal audit functions are required to improve their effectiveness and efficiency.
The ECB expects EU banks to have in place robust and fully independent internal audit functions in line with the European Banking Authority’s Guidelines on internal governance. As the Guidelines apply not only to banks but also to investment firms that are subject to Title VII of CRD IV (Directive 2013/36/EU), the good practices outlined in the ECB’s article will also be relevant to these investment firms.
Examples of good practices in an internal audit function
The following examples of good practices fall within three key areas that drive an effective internal audit function: (1) the governance of the internal audit function; (2) the audit cycle, audit plan and resources; and (3) the stature of the internal audit function and follow-up on findings.
Governance
- One-to-one meetings between the chair of the audit committee and head of the internal audit function are organised to discuss relevant topics and the content and outcome of these meetings are reported to the board.
- The audit committee is responsible for performing the appraisal of the head of the internal audit function and provides input to the remuneration committee for decisions on the head of internal audit’s remuneration.
- Internal charters establish the frequency and minimum content of the reports submitted by the head of the internal audit function to the board.
Audit cycle, audit plan and resources
- The audit plan acknowledges that additional resources may be needed for ad hoc reviews brought about by unexpected events, and sufficient spare capacity is kept readily available.
- The audit plan takes into account and follows up on the findings of supervisory authorities (e.g. SREP recommendations).
Stature of the function and follow-up on internal audit findings
- Audit reports elaborate on the root causes of findings, provide clear recommendations with clear deadlines to rectify findings, indicate the area(s) responsible for remediation and contain closure criteria.
- Any delays in the implementation of remedial actions, in addition to high-risk findings and findings with ‘risk accepted’ status (including recommendations), are presented to the audit committee by the respective audited unit – this process is also reflected in the bank’s internal policies.
- The internal audit function approves deadline extensions for recommendations in exceptional cases only. Deadline extensions are reported to the senior manager responsible and the board for information and discussion purposes.
- For discarded findings or renegotiated deadlines, or where further supporting documentation is requested, the approval of the head of the internal audit function is required.
- In the event of disagreement between the business area and the internal audit function, the internal audit assessment and rating prevails, and the disagreement is noted in the report.
Additional opportunities for enhancement
The ECB’s article also outlines several shortcomings that were identified during the ECB’s review of banks’ internal audit functions falling within the same key areas as the good practice examples. Banks and investment firms now have the opportunity to assess if any of these are matters that need to be addressed within their organisation and take remedial steps where necessary.
The following shortcomings were identified by the ECB:
Governance
- In respect of independence of the function and direct access to the board, the ECB observed some cases of limited involvement of the board and audit committee (or equivalent) in overseeing the activities and effectiveness of the function.
- Some banks have scope to increase the role played by the board in the processes for appointing the head of the internal audit function, setting objectives for them and assessing their performance.
- In relation to performance indicators, not all banks have defined control-related key performance indicators for the head of the internal audit function, and staff and performance indicators often rely excessively on the bank’s profit margins and performance.
Audit cycle, audit plan and resources
- While banks’ internal audit functions have generally developed risk-based methodologies that cover their control framework, there are instances where the audit plan should be more comprehensive, as it does not sufficiently cover the follow-up of supervisory findings, the implementation of the risk appetite framework or climate and environmental risks, for example.
- Some banks’ subsidiaries and branches were not adequately reflected in the group audit plan.
- Several banks’ internal audit functions do not have the necessary resources and skills to carry out their duties in accordance with internal audit plans (both in terms of the number of auditors and the expertise to perform specific skills (e.g. IT and cybersecurity)).
- Many banks have not yet implemented any clear rotation process for internal audit staff.
Stature of the function and follow-up on internal audit findings
- Banks’ internal audit functions are generally well established, having sufficient stature and visibility. However, some audit reports are not exhaustive enough and the ratings assigned to findings do not always reflect the severity of the underlying issues.
- Some banks still need to implement an escalation process for findings in the event of disagreement between the business unit and the internal audit function.
- Finally, some banks need to improve their follow-up process for audit recommendations.
Conclusion
The ECB indicated that its Banking Supervision team will continue to assess banks’ progress in enhancing their internal audit function through peer benchmarking, sharing good practices and ongoing industry dialogue. The ECB’s forthcoming updated guide on governance and risk culture will further clarify supervisory expectations in this area – the ECB’s plans to publish an updated guide were referenced in a recent speech by Mr Anneli Tuominen, Member of the Supervisory Board of the ECB.
For further information in relation to this topic, please contact Dario Dagostino, Partner, Patrick Brandt, Partner, Mark Devane, Partner, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.
Date published: 22 May 2024
