With attention comes attention. Internal audit has been looking to elevate its “seat at the table” for as long as I can recall. And, in 2013, internal audit is being given that seat more and more as a result of regulatory intervention. Internal audit is getting attention.
As you have likely noticed, internal audit is increasingly finding itself on the radar of regulators around the world, particularly those overseeing financial services. We saw this in the U.S. Federal Reserve Guidance that came out earlier this year. And, in response to concerns being raised by financial services regulators in The U.K., The Chartered Institute of Internal Auditors published Effective Internal Audit in the Financial Services Sector: Recommendations From the Committee on Internal Audit Guidance for Financial Services. Even the New York Stock Exchange and NASDAQ have been proposing potential changes to their listing requirements where internal audit is concerned. A common thread in the regulators’ efforts seems to be a quest for more independent, more effective internal audit functions with better access to company boards.
The question is: Why? Is it because they think we haven’t done a good job? Or, is it that in their post-mortem analysis of the circumstances leading up to the financial crisis, they concluded that such measures would enhance internal audit’s potential to foster effective risk management and governance?
I think it’s a little of both. Most of us would agree that, as a profession, we didn’t knock it out of the park in helping to identify or having an impact on the way risks were being identified, discussed, and managed in financial services. I don’t think anyone has been shouting from the rooftops, “Where were the internal auditors?” But I do think that regulators realized that, in many cases, internal auditors hadn’t been given the independence and stature they needed to be effective.
Often, we didn’t have necessary access to the board. The resources for financial services internal audit, both in terms of numbers and talent, also were inadequate. A few months ago, the chief audit executive (CAE) of one of the largest global banks chronicled for me how his predecessor had his resources reduced by almost 40 percent between 2005 and 2009.
I think regulators are getting it right. Requirements, such as those put forth by the U.S. Federal Reserve Board and covered in my Jan. 28 blog, underline what we at The IIA have been promulgating and recommending for years:
This is not a complete list, but you get the picture. A well-designed, comprehensive quality-assurance program should ensure that internal audit activities conform with The IIA’s globally recognizedInternational Standards for the Professional Practice of Internal Auditing as well as with the individual organization’s internal audit policies and procedures. The program should include both internal and external quality assessments.
Each institution should conduct an internal quality assessment annually, and the CAE should report the results and status of these internal assessments to senior management and the audit committee.
Regardless of why internal audit is on regulators’ radar, I see it as a very positive sign. What do you think?