Follow Us

Follow us on Twitter  Follow us on LinkedIn
 

02 May 2012

ECIIA: IIA's Response to the Basel Committee on the internal audit function in banks


Default: Change to:


The Institute of Internal Auditors provided comments on the consultative document, entitled "The internal audit function in banks", from December 2011. Comments are based on discussions conducted by a core team of internal audit professionals who serve on the IIA's Professional Issues Committee.


Over the last decade, the banking industry has undergone major changes as did the audit profession. Therefore, the IIA applauds the issuance of a revised supervisory guidance for assessing the effectiveness of the internal audit functions in banks as an effort to replace the 2001 document "Internal audit in banks and the supervisor's relationship with auditors".

The following are the IIA's principal comments and observations:

Principle 7 of the document appears to restrict the overall responsibilities of the internal audit function.  With regard to its assurance role to the board, the internal audit function is meant to provide global assurance to the board on the internal control and risk management systems pertaining to all governance objectives. This encompasses business control objectives, financial reliability, regulatory and legal compliance, etc.

The IIA recommends inclusion of stricter language pertaining to the independent review of the internal audit function, as covered in the document under "Responsibilities of the board of directors and senior management". The Standard 1300 of the International Standards issued by the IIA requires a "Quality Assurance and Improvement Programme", also 1311 requires internal assessments including ongoing monitoring and periodic assessments, and 1312 requires external assessments must be conducted at least once every five years. The IIA recommends including a reference to periodic independent review of internal audit functions, including reference to Standards 1300, 1311 and 1312 in paragraph 43 of the document.

Regarding the Overview section, "Principles relating to the supervisory expectations relevant to the internal audit function", the IIA suggests highlighting the importance of internal auditors acting with integrity and in accordance with The IIA Code of Ethics and the International Standards for the Professional Practice of Internal Auditing.

Relative to the described responsibilities of the board of directors and senior management (section A 5), the IIA believes senior management should keep the internal audit function not only informed of new developments, initiatives, projects, products and operational changes, but of changes in strategic direction as well.

The IIA recommends including the following aspects within the list of minimum requirements for an internal audit charter (section A 4):

  • Provide information about evolving models on governance, risk, control and compliance (GRCC) to board members, and promote education of bank personnel on GRCC to ensure awareness and importance.
  • Attend the bank's governance committee meetings to provide advice and counsel. In order to maintain its independence, internal audit should act as an advisor and not have responsibility for the committee's work.
  • Perform and report on fraud analysis and conduct special verification of potential irregularities.

The IIA recommends replacing paragraph 29 as follows:

The head of internal audit is responsible for developing an annual risk-based internal audit plan that can be part of a multi-year plan. The head of internal audit takes into account audit risk factors as well as the bank's risk organizational objectives and risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If the framework does not exist, the head of internal audit will consider perceived risks on the basis of consultation with senior management. The board's approval of the audit plan implies that an appropriate budget will be available to support the internal audit function's activities. The budget should be sufficiently flexible to adapt to variations in the internal audit plan in response to changes in the bank's risk profile.

Full letter



© ECIIA


< Next Previous >
Key
 Hover over the blue highlighted text to view the acronym meaning
Hover over these icons for more information



Add new comment