Over recent years, European banks subject to supervision by the European Central Bank (ECB) have been faced with the need to adjust their risk governance models to ensure they are deriving appropriate value from their internal control functions. Internal Audit (IA) plays a fundamental role in this drive for added value. Regulatory developments, stakeholder expectations, and increasing business and operational risks have all contributed to a broader and more complex mandate for IA functions.
To better understand how banks are responding to developments that impact IA, KPMG professionals conducted a survey of 22 Heads of Internal Audit from DG1 and DG2 banks in 11 European countries subject to SSM Supervision.
The traditional days of a ‘checks and balances’ approach are gone. IA functions must provide guidance on risk and its mitigation by harnessing data and analytics. In addition, it is critical that IA functions build a close working relationship with senior management and secures visible support from their audit committee.
In this report, it is discussed how IA functions are currently positioned and resourced, and how strategic priorities might continue to shift in the near future.
- Positioning: The majority of IA functions have built strong relationships with the Audit Committee. By developing a relationship with the Executive Board, IA functions enhance their ability to challenge business objectives.
For the majority of banks sampled, the most common frequency of meetings between Heads of Internal Audit and Chairs of the Board is from one to two times per year. In addition, 75 percent of respondents utilize stakeholder satisfaction questionnaires with auditees. This enables timely feedback and engagement with the business and auditee in relation to the ‘service’ provided by the IA function.
- Mandate: Regulatory developments, stakeholder expectations, and increasing business and operational risks have all contributed to a broader and more complex mandate for IA functions.
While 81% of the banks surveyed do not formally place reliance on other assurance providers, there is a recognition of the need to move towards a combined assurance model. A combined approach to assurance activities among the assurance providers would improve efficiency, enhance coverage, eliminate potential duplication of efforts and ultimately provide a more meaningful opinion to the audit committee.
- People: IA functions are expected to deliver high quality audits and act as a trusted advisor to their organization, while keeping costs down.
Most of the banks surveyed have dedicated Subject Matter Experts who deliver audits across multiple audit teams. An optimal allocation of internal auditors, based on their expertise, plays a key role in successful audit.
There is a good balance within IA teams between those who hold professional qualifications and other team members with business experience. Most of the banks in the survey have an IA function of which 26-50% have prior business experience within the bank.
- Internal audit structure: The structure of IA functions varies between banks according to their business models and size. They must be flexible enough to meet the needs of their business as well as supervisors.
Almost 50% of banks surveyed have structured their IA functions by business organization. 32% Of the banks in the survey have over 10% of total headcount allocated to IA professional practices/support. Given the need for increasing agility and ability to respond to ad-hoc requests, a number of IA functions are investing in the development of a COO function.
- Internal audit plan: Most of the banks in the sample identify enhancement of data analytics and audit techniques, response to IT risks (including cyber), cooperation with the SSM and the regulatory landscape as key strategic priorities over the next three years.
54% and 22% of the DG1 and DG2 banks respectively surveyed have over 200 audits on Group Internal Audit Plan. 81% Of the banks sampled cover high risk areas annually. All survey respondents utilize continuous auditing techniques. Typically, we observe these being utilized across medium/low and low risk areas, thereby reducing formal audit coverage.
- Audit reporting: Internal auditors are responsible for reporting into several organizational levels all with different interests. The rating system used for IA findings and reports need to be clear for all stakeholders. Ineffective reporting structures may result in misunderstandings and undermine the significance of their findings.
The IA functions of SSM banks find themselves challenged by regulation and supervision, technological change and scarce resources. Faced with a rapidly evolving risk environment, team leaders want to develop new capabilities. But the greatest challenge for banks’ IA functions could be to retain their independence while balancing the needs of the business against the demands of supervisors.