Print article March 2010 - frontiers in finance – previous issues – December online – articles in this issue –  A better look inside

The effectiveness of the internal audit function is varied across the financial services sector. As regulatory scrutiny tightens and management exerts ever stringent cost control, a common question being asked by non-executives is whether internal audit is striking the right balance and style of assurance over governance, risk and control systems? Irma Fourie and Anthony Kennedy, argue that for some, the effectiveness of internal audit has to improve.

It is clear that ineffective control and risk management was a significant contributor to the development and scale of the financial crisis. Many people have rightly asked 'How could this have happened?' The responsibility is widespread, and the details will no doubt be debated at length for many years. The failures extend to macro levels as politicians, regulators, central bankers and others have all contributed to what should be regarded as a collective failure. The overall control and risk management framework in certain financial services companies needs to be challenged and reshaped so that it is truly effective in a radically different operating environment.

We are seeing heightened scrutiny by regulators of control and risk management frameworks across the board.

In the UK, many of the 'ARROW' assessments¹ by the Financial Services Authority (FSA) are raising concerns over the quality and effectiveness of corporate governance mechanisms.

In South Africa, the King III Report² on corporate governance, which was issued in September 2009, requires companies to establish an internal audit function which provides assurance over the company's governance, risk management and internal controls. King III places more emphasis on the role of internal audit in that they will be required to provide a written assessment of the system of internal controls and risk management to the board, as well as a written assessment of the internal financial controls to the audit committee. King III differs from Sarbanes Oxley in that no attestation is required from external auditors on internal financial controls. The audit committee will make a statement to shareholders on the internal financial controls. This will further raise the profile of the internal auditor.

In the aftermath of the crisis, audit committees are understandably placing greater emphasis on reviewing whether internal control regimes are effective.

Conventionally, the control and risk management framework of an organization is described in terms of a three lines of defense model:

• the first line or 'coal face': the system of checks, rules and controls which is imposed on staff in the business lines by management
• the second line, typically risk and compliance: the specialist internal functions which set risk management and control policy and monitor its observance
• the third line, which comprises audit: the formal processes of reviewing compliance with and providing assurance on, sound performance and accurate reporting of risk mitigating strategies.

Internal audit, specifically in the financial services sector, is turning into the two-tone state. Some institutions invested through the troubled times in expectation of heightened control issues and have come out on top while others have lost direction principally through cost control measures. Also, having the right person at the top of the function (Head of Audit) is key.

Where companies have achieved success, common themes have evolved which include:

• having a strategic view looking out over a two- to five-year period which is periodically refreshed and communicated to the business and control functions
• having the right people in the function and developing core and specialist skills. This also includes acknowledgement that certain skills may have to be co-sourced externally or obtained from the business
• having continuous interaction with the business and control functions, specifically between the second and third line of defense, to ensure they are able to respond in a proactive way to new and emerging risks
• having a dynamic audit plan which is updated quarterly, is risk-based and allows significant time to be spent on new business lines and change projects
• respect from stakeholders.

For those that now need to up their game, the people agenda is a difficult area to balance. In particular, the depth and range of skills almost always has to be enhanced. To complement the more experienced staff typically assigned to manage internal audit, the more far-sighted banks and insurers are now using 'guest' reviewers from the business and rotating staff and potential high-flyers into and then out of internal audit, using the function as an incubator of future talent and as a means to truly understand the organization. New skills can also be developed by training, new hires and external co-sourcing.

In certain countries, such as South Africa, there is a significant skills shortage which makes it increasingly difficult for in-house internal audit teams to hire and retain the skills required to audit the more strategic and high risk areas.

To help complement in-house development, aspects of internal audit may be co-sourced, or outsourced to third-party suppliers where local regulators permit. This can be particularly valuable and cost effective in relation to more technical areas such as IT, regulatory or treasury operations.

The current increased focus on the quality of the internal audit operation offers an opportunity to develop a high quality function. Those that are most successful will find it an invaluable component of the overall control and risk management framework and a contributor to the successful execution of their corporate strategy.

Article Authors

1. Advanced Risk-Responsive Operating frameWork.
2. The third South African report on corporate governance (King III) was released September 1, 2009 and becomes effective on March 1, 2010. This report replaces the King II report and has expanded on governance as a requirement for all entities in South Africa. It has put new emphasis on amongst others, sustainability, internal audit, IT governance and the composition of boards and audit committees.