The ECB is sharpening its already significant scrutiny of European banks' internal audit functions. Clarity over its detailed expectations is growing, and internal audit is an increasingly common focus of on-site inspections. Banks should take a pro-active approach to meeting the ECB's expectations, and remember that assessments of internal audit quality feed into the SREP process.
The internal audit (IA) teams of Europe's banks face an increasingly dynamic and challenging set of expectations, including supervisory, commercial and technological pressures. We have written before about the effect this is having on IA functions.
As expected, the focus on IA remains a core activity for supervisors in terms of inspections. The starting point for these expectations is, of course, relevant EU rules and regulations. The most important are the CRR (particularly Articles 191 and 288), the CRD and the EBA's Guideline on Internal Governance (PDF 800 KB). Investment firms are also covered by MiFID 2, and national supervisors sometimes use their own complementary IA standards alongside European requirements. The fact that some large banking groups are considering outsourcing IA activities means that the ECB is also increasingly focused on compliance with the EBA's Guideline on Outsourcing.
Theory is one thing, but practice is another. In reality it is on-site inspections (OSIs) by joint supervisory teams (JSTs) that show just how much scrutiny the ECB is putting onto banks' IA functions. We are aware of several OSIs targeted solely on IA departments; in one case we have seen an investigation of the IA function lasting over four months and involving a large inspection team, lending credence to the ECB's stance on deep investigations. The ECB is also using OSIs with a broader focus on Internal Governance to assess IA functions.
Based on our observations of the market, we see the following areas as among the ECB's most important current expectations for IA functions.
· Staffing & Training: It seems that the ECB is using a 1% threshold for banks’ total staff to be allocated to IA functions. In Germany, 'good practice' benchmarks are often higher. However it seems that many banks have struggled to reach this threshold, potentially leading to difficult decisions about the scope and prioritisation of IA work. The quality of teams is key too - the availability of staff with specialised mathematical, statistical or technology skills is often challenged. JSTs also review training budgets and plans to ensure sufficient levels of knowledge and expertise.
In short, banks should be proactive regarding the ECB's levels of expectation for their IA functions. Not only can they expect JSTs to follow up closely on any IA related findings arising from OSIs, they should also remember that an assessment of the IA department always forms part of the annual SREP process.