Internal audit in financial services: a long time to wait for not very much

“Time is the old justice that examines all such offenders, and let Time try."As You Like It, Act IV, Scene 1 
As Canadian consultant Tim Leech pointed out in an ACCA column in 2009, internal auditors really didn’t have a good financial crisis.  Quite validly, Tim asked the question:

Not being fingered for even a portion of the blame in a catastrophic situation is a good thing for the internal audit profession, isn’t it?

His answer to this rhetorical question strikes at the heart of the utility and effectiveness of internal audit:

. . . the absence of even mild criticism of the internal audit profession is an indictment of the profession’s track record assessing and reporting on the effectiveness of their client’s risk management systems to help prevent catastrophic risk and control governance failures before they occur.

Although it sometimes seems like much longer, it is approaching six years since the global financial crisis started to unfold.  On 2 April 2007, the United States’ second largest mortgage originator, New Century Financial Corp of Irvine, California filed for relief under Chapter 11 of the United States Bankruptcy Code in Wilmington, Delaware.  The rot had begun to show.

The post mortems began to appear in earnest in early 2009, once the true scale of the impact of the US Treasury’s decision to allow Lehman Bros to fail in October 2008 became apparent.  As Tim Leech pointed out in in his column in February of that year, none of those post mortems sought to blame failings by internal auditors.  The first major industry review, the 2008 report of the Institute of International Finance, for example, barely referred to internal audit or the practice of internal auditing.

Similarly, in the UK, Sir David Walker’s 2009 review was scarcely resplendent with references to internal audit.  His logic for this was hardly flattering:

. . . failures that proved to be critical for many banks related much less to what might be characterised as conventional compliance and audit processes, including internal audit, but to defective information flow, defective analytical tools and inability to bring insightful judgement in the interpretation of information and the impact of market events on the business model.

However, with the passage of time, attention has turned to internal audit.  In mid 2012, the Basel Committee on Banking Supervision (BCBS) of the Bank of International Settlements revised its 2001 document on the role of banks’ internal audit functions and their supervision.  Its statement on the purpose of internal audit in banks is included as Principle 1:

An effective internal audit function provides independent assurance to the board of directors and senior management of the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation.

That’s pretty clear.  But how, precisely, will it do that?  The BCBS guidance is largely silent on the output from internal audit activity but does refer to review by both the audit committee and supervisors of internal audit reports.

Revelling in its chartered status, the UK’s Chartered Institute of Internal Auditors (hereafter UK Institute) has also recently reviewed the role of internal audit in banking, publishing a consultation document in February 2013.  Departing from recent practices, the UK Institute’s review advocates that the director of internal audit report to the firm’s chairman (noting it may be delegated to the chair of the audit committee).  It’s their guidance, they can, after all, recommend what they like.

More notably, the document states that the role of internal audit:

should be to help to protect the assets, reputation and sustainability of the organisation.

Hmmm.  This differs materially from the BCBS expectation around provision of assurance, although it may, of course, encompass the BCBS requirement for assurance also.

Interestingly, the UK Institute’s expectation of the focus of reporting also differs from the BCBS’ view, and includes:

at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.

That is, internal audit should prepare a periodic opinion on effectiveness of the control framework.  That is not an opinion on control, per se, but on the framework surrounding control.  In addition, the UK Institute’s document advocates including within internal audit’s scope of work, inter alia, “the setting of and adherence to risk appetite” and “the risk and control culture of the organization.”   Nowhere in the document are these terms explained or are methods for forming an opinion thereon offered.

Not everyone is a fan of periodic control opinions.  Tim Leech, for one, has written and spoken against them repeatedly.  As he noted in the ACCA piece:

The fact that more than one in every eight Sarbanes-Oxley section 404 control effectiveness opinions from management and external auditors in 2006 were later found, as a result of restatements of the financial statements, to be materially wrong should raise serious questions about the ability of auditors today, both internal and external, to form reliable conclusions on control effectiveness.

Usefully (well, not really), the latest revision to the IIA global standards differentiates between an engagement opinion and an overall opinion.  IIA is clearly leaving the door open for the growth of control opinions, thereby catching up with the reality of the post-Sarbanes-Oxley world.  But opinion over what?

Tim Leech favours reporting on the effectiveness of risk management systems.  As he said:

I believe without reservation that reporting on the current effectiveness of risk management systems is significantly more valuable than providing subjective opinions on the effectiveness of control.

The crux of Tim’s argument is that

management and auditors currently lack the necessary assessment frameworks, training and tools to provide reliable, repeatable conclusions on control effectiveness.

Yet I cannot see that such frameworks are any more clearly developed in relation to firms’ management of risk.  And certainly not in “the setting of and adherence to risk appetite” and “the risk and control culture of the organization.”  Tim elsewhere has advocated use of ISO 31000 standard as the basis for risk frameworks but the reality is that this standard has many detractors, me included, and offers no useful insight on either of these difficult topics.  One such detractor is Bob Kaplan of Balanced Scorecard fame who argues (see here) that we are not yet ready for standards in risk management and that there are dangers in doing so:

[I]n an environment with limited knowledge and experience, premature standard setting will inhibit innovation, exploration and learning.

The IIA itself notes the problems confronting internal auditors examining risk frameworks:

[I]nternal auditors who seek to extend their role in ERM [should not] underestimate the risk management specialist areas of knowledge (such as risk transfer and risk quantification and modeling techniques) which are outside of the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management.

The reality is that internal auditors’ knowledge, and knowledge more generally, in risk and internal control falls well short of the level necessary to produce comprehensive, reliable and replicable opinions on the performance either of firms’ risk management or of their internal control.   A key problem is the assumption of the value of standardization, as Kaplan states.  The rush to claim authority by COSO, by the PCAOB or SEC or by ISO simply inhibits innovation, exploration and learning by firms whose differing contexts and environments may well dictate different solutions to frameworks in risk management or in internal control.  Regulatory mandate should not be confused for authoritative knowledge.

In the area of internal control, for example, arguably the best work is by another Harvard scholar, Robert Simons, whose 1995 levers of control model represented a far broader approach than the subsequent, accounting-driven SEC versions of internal control.  It encapsulates many of the enfants bâtards that are now emerging around behaviour and control.

Instead of adopting dirigiste approaches of closing off innovation, standards-setters, regulators and professional bodies should be adhering to the Maoist dictum of “let a hundred flowers blossom.”  Academics should be supporting or even driving that innovation rather than falsely or prematurely asserting authority, as so many have done, especially in relation to risk management.  Research funding agencies in the UK should be supporting such innovation rather than being gulled in to believing there are singular answers to complex questions in risk management and internal control.

In the meantime, risk managers and internal auditors (and regulators, themselves) are left with a dilemma: how to proceed when there is regulatory pressure to enhance management practice in areas where there are not established or reliable bodies of knowledge?  ‘Carefully,’ and ‘with as much knowledge as possible’, would be my suggestions.  This will require a considerably greater emphasis on investing time and effort to acquire knowledge and insight, as opposed to cataloguing of other firms’ practices, than has been in evidence to date.

While, in the UK, the FRC may be on the verge of requiring greater attention to quantitative and integrative risk management practice than previously, the best argument for better knowledge and practice remains one of improving performance.  As recent US research by Booz&Co. shows, underestimating strategic risk is the principal cause of shareholder value destruction.  Addressing firms’ comparative advantages in risk-assumption and risk-bearing are existential requirements for all corporate firms; they cannot afford to wait for internal risk managers and internal auditors to catch up.  But catch up, in time, they must – or risk losing both their credibility and professional designations.

Our programme of training in risk management and assurance topics in March and April covers interview skills, enterprise risk management, risk in programmes & projects, culture & risk culture and strategy, risk & uncertainty.  For more information see here.