Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Sort by

Internal audit functions: guardians of banks’ control frameworks

15 May 2024

Banks must have sound and effective risk management, governance and internal control processes in place. A strong internal audit function plays a crucial role in ensuring that a bank’s governance arrangements and internal control mechanisms are suitably robust. As the third and last line of defence, the internal audit function reviews the effectiveness and efficiency of a bank’s internal control framework and provides objective assurance that all its activities and units comply with the rules. This is why supervisors thoroughly examine this risk area.

A diagram of a three-line diagram

Description automatically generated

In line with the European Banking Authority’s guidelines on internal governance, the ECB expects banks to have a robust and fully independent internal audit function in place. The internal audit function must be responsible for drawing up, implementing and monitoring the bank’s audit cycle and audit plan. It should follow up on any relevant audit findings and escalate these to the management body in its supervisory function where needed.

ECB Banking Supervision has carried out extensive reviews of the internal audit function of banks over the past few years, including bank-specific deep dives and horizontal analyses. This article provides an overview of the observations made and sound practices identified. It focuses on four key drivers of effectiveness: (i) the governance of the internal audit function, (ii) the audit cycle and audit plan, (iii) resources, and (iv) the stature of the internal audit function.

Examples of good practices in an internal audit function


Good practice


  • One-to-one meetings between the chair of the audit committee and head of the internal audit function are organised to discuss relevant topics (e.g. resources, regular reporting, performance assessment and items on the agenda before each audit committee meeting). The content and outcome of these meetings are reported to the full management body.
  • The audit committee is responsible for performing the appraisal of the head of the internal audit function and provides input to the remuneration committee for decisions on the head’s remuneration.
  • Internal charters establish the frequency and minimum content of the reports submitted by the head of the internal audit function to the management body.

Audit cycle and audit plan

  • The audit plan acknowledges that additional resources may be needed for ad hoc reviews brought about by unexpected events. Sufficient spare capacity is kept readily available.
  • The audit plan takes into account and follows up on the findings of supervisory authorities (i.e. Supervisory Review and Evaluation Process recommendations).

Stature of the function and follow-up on internal audit findings

  • Audit reports elaborate on the root causes of findings, provide clear recommendations with clear deadlines to rectify findings, indicate the area(s) responsible for remediation and contain closure criteria.
  • Any delays in the implementation of remedial actions, in addition to high-risk findings and findings with “risk accepted” status (including recommendations), are presented to the audit committee by the respective audited unit. This process is also reflected in the bank’s internal policies.
  • The internal audit function approves deadline extensions for recommendations in exceptional cases only. Deadline extensions are reported to the senior manager responsible and the management body in its supervisory function for information and discussion purposes.
  • For discarded findings or renegotiated deadlines, or where further supporting documentation is requested, the approval of the head of the internal audit function is required.
  • In the event of disagreement between the business area and the internal audit function, the internal audit assessment and rating prevails, and the disagreement is noted in the report.

In terms of governance, the bank’s internal audit function must be independent of the audited activities. It should report to the board (or audit committee) on all matters falling within its remit. Almost all significant banks have appropriate reporting lines in place that ensure the independence of the internal audit function, including direct access to the management body in its supervisory function. Nevertheless, the limited involvement of the management body and audit committee (or equivalent) in overseeing the activities and effectiveness of the function is an area that has attracted supervisory attention. Some banks have scope to increase the role played by the management body in its supervisory function in the processes for appointing the head of the internal audit function, setting objectives for them and assessing their performance. Finally, not all banks have defined control-related key performance indicators for the head of the internal audit function, and its staff and performance indicators often rely excessively on the institution’s profit margins and performance.

All activities and entities of the banks (including other control functions) should fall within the remit of the internal audit function. With regard to the audit cycle and audit plan, banks’ internal audit functions have generally developed risk-based methodologies that cover their control framework. However, in some cases, the audit plan should be more comprehensive, as it does not sufficiently cover the follow- up of supervisory findings, the implementation of the risk appetite framework, or climate and environmental risks, for instance. Likewise, some subsidiaries and branches should be better reflected in the group audit plan.

The internal audit function must have the necessary resources and skills to carry out its duties in accordance with the internal audit plan. However, supervisory assessments have revealed that internal audit staffing remains an area that requires attention for several banks, both in terms of the number of auditors and in terms of expertise to perform specific skills (e.g. IT and cybersecurity). On average, staff working in the internal audit function represent 1% of total staff for significant banks. Furthermore, many banks have not yet implemented any clear rotation process for internal audit staff.

An effective internal audit function provides independent assurance of the quality and effectiveness of a bank’s internal control environment. In this respect, the internal audit function is generally well established, having sufficient stature and visibility. However, several insufficiencies have been identified; for instance, some audit reports are not exhaustive enough and the ratings assigned to findings do not always reflect the severity of the underlying issues. Some banks still need to implement an escalation process for findings in the event of disagreement between the business unit and the internal audit function. Finally, some banks need to improve their follow-up process for audit recommendations.

Specific recommendations have been issued to banks to address these shortcomings. ECB Banking Supervision will continue to assess banks’ progress in enhancing their internal audit function through peer benchmarking, sharing good practices and ongoing industry dialogue, including with internal audit functions and their representatives. The upcoming guide on governance and risk culture will also further clarify supervisory expectations in this area.


European Central Bank

Directorate General Communications

Reproduction is permitted provided that the source is acknowledged.

Media contacts