The role of internal control and internal audit

Speech by Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism, at the European Confederation of Institutes of Internal Auditing (ECIIA) conference,
Paris, 22 September 2015

It is a pleasure to be here today to address the European Confederation of Institutes of Internal Auditing (ECIIA) and I wish to thank the organisers of this event for the interest they have expressed in my participation.

The conference gives me an opportunity to reflect, with you, on the role of internal control and internal audit. These functions are at the centre of sound management, especially for credit institutions in advanced financial systems.

From the very beginning, the Single Supervisory Mechanism (SSM) has focused its attention on the controls and internal governance of credit institutions, and made them a key feature of its methodology.

I will start my remarks by looking at the main changes we are observing in the regulatory and supervisory landscape in Europe with the establishment of the SSM. Then, I will elaborate on SSM expectations regarding the internal audit functions at credit institutions and on the supervisory dialogue with banks’ internal audit functions in the near future.

The changing regulatory and supervisory landscape with the SSM

The European banking landscape underwent a complete regulatory overhaul recently. In the last four years, new rules on prudential requirements have been introduced. For example, there was the Capital Requirements Directive and Regulation – the so-called “CRD IV package”. National rules to restructure or resolve ailing banks were harmonised through the Bank Recovery and Resolution Directive. A new euro area-wide banking supervisory system, the SSM, was set up. A single restructuring and resolution authority, the Single Resolution Mechanism, was established and will soon have its own resolution fund.

This broad set of reforms follows an overall logic. In the highly interconnected euro area financial system, systemic risks originating in each of the member countries tend to spread and spill over easily. Hence, national measures need to be coordinated to avoid exacerbating risks, generating contagion and leading to the fragmentation of Europe’s single financial market due to insufficient coordination at European level.

Against that background, the SSM brings the necessary European dimension to banking supervision. Assisted by national supervisory authorities, the ECB acts as a single decision-maker, responsible for the effective functioning of the overall system.

While the SSM is a single system, with the ECB ultimately responsible for its functioning, different modalities apply depending on the size and systemic importance of credit institutions.

Importantly, day-to-day supervision of significant credit institutions is carried out by specialised groups of supervisors, the Joint Supervisory Teams (or JSTs). These teams consist of experts from the ECB and the national competent authorities, under the coordination of the ECB. This close cooperation within the JSTs helps to maintain knowledge and understanding of pertinent issues at a national level and to develop a common supervisory culture, achieving more convergence of supervisory practices within the banking union.

The day-to-day supervision of less significant credit institutions continues to be carried out by national competent authorities, but the same “SSM supervisory model” which is being developed will be applied to all credit institutions, taking into account the proportionality principle.

Under this framework, the SSM – as a new system of banking supervision – aims at enhancing the interaction of the supervisors with the supervised institutions, strengthening transparency and communication, as well as promoting a consistent approach and a true level playing field. We do this by identifying the common supervisory priorities on the basis of the main risks faced by the European banking sector and by carrying out benchmarking analyses and horizontal “thematic reviews”, to name but a few. In fact, in the first Supervisory Examination Programme, the JSTs have devoted specific attention to the assessment of the internal governance arrangements of credit institutions. When looking at governance, one of the most important components of the analysis is, of course, the adequacy and effectiveness of the internal audit function in the context of the internal control framework.

The framework and supervisory expectations related to internal audit

In this regard, let me now turn to the second part of my remarks, which will be devoted to the SSM expectations regarding the internal control framework in credit institutions and the role of internal audit in particular. I would like to start by recalling the legal framework within which the SSM operates.

CRD IV states that robust governance arrangements include, among others, effective processes to identify, monitor and report the risks, as well as an adequate internal control mechanism.

Usually, the implementation of these rules through more detailed local prudential regulations – including those necessary to transpose CRD IV at the national levels – has taken advantage of the BCBS and EBA principles and guidelines [1], which are consistent with a sound internal control framework based on the so-called “three lines of defence” system, where each of the three lines has an important role to play.

Let me recall the basic definitions. The business line – the first line of defence – has “ownership” of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities. The risk management function is responsible for further identifying, measuring, monitoring and reporting risk on an enterprise-wide basis as part of the second line of defence, independently from the first line of defence. The compliance function is also deemed part of the second line of defence. The internal audit function is in charge of the third line of defence: conducting risk-based audits and reviews to provide assurance to the Board that the overall governance framework, including the risk governance and internal control framework, is effective.

Therefore, it goes without saying that the internal audit function has a vital and prominent role, being responsible for an independent review of the first two lines of defence and for proactively promoting best practices within the organisation by addressing the existing main weaknesses in the business areas to the management body and asking for prompt remedial actions.

And as you know it does not stop there. The Audit Committee at the Board level also has an important role to play, as do credit institutions’ external auditors. The Audit Committee is uniquely positioned to oversee the setting-up of risk management systems and to embed the risk culture in the core corporate values.

Again, as our own and many national assessment procedures confirm, the relationship between internal and external auditors is very important and can be essential in some instances. We have seen that occasionally external auditors will rely on the work of internal audit, and this requires trust, cooperation and mutual respect.

In the near future, an important issue requiring cooperation between external auditors and internal audit functions of credit institutions will be the implementation of IFRS 9 on financial instruments. The completion of this accounting standard as one of the responses to the financial crisis will bring major changes and challenges to the industry, mainly regarding the implementation of the new expected loss model.

Moving on to the SSM supervisory practices, we pay particular attention to the assessment of the overall internal control system. Each of the functions I mentioned before can assist the Board by giving comprehensive information on the appropriateness of the level of risks being taken and the adequacy and integrity of the associated governance and risk management.

Regarding the effectiveness and reliability of the internal audit function, in practice, during the yearly Supervisory Review and Evaluation Process (SREP) cycle, the JSTs are asked to assess:

  • whether internal audit has been granted organisational independence from the heads of the business units as well as whether internal auditors’ objectivity has been properly protected by having direct access and reporting to the management body;
  • whether the function has been provided with adequate resources (in terms of staffing, competences, skills and expertise) to perform its prominent tasks and whether the annual plan adequately covers all necessary areas, including in particular risk management, compliance, ICAAP and ILAAP, as well as internal models; and
  • whether the internal audit function is properly empowered to enforce in a timely manner, with the commitment of the management body, the remedial actions required in order to address the weaknesses detected.

One of the main responsibilities of the management body is to ensure that an effective and properly empowered internal audit function is established. Therefore, we expect that, periodically, the management body:

  • appoints suitable Heads of Internal Audit;
  • evaluates the adequacy of the internal audit function in accordance with national and international professional standards; and
  • reassesses to what extent its reviews cover the whole range of activities of an institution, including the risk appetite framework elements (such as risk limit breaches and risk measurement and management processes and methodologies).

Regarding the appointment of internal auditors, this is primarily a responsibility of the credit institutions: they need to assess the suitability of their internal auditors according to internal fit and proper standards. However, it is possible that in certain member countries the Head of Internal Audit, for instance, who is not part of the management body, is considered to be a “key function holder” within the credit institution. In that case, a fit and proper assessment is carried out by the competent authorities. According to the EBA Guidelines, a fit and proper assessment of a key function holder should include the following criteria: reputation, experience, independence/conflict of interests and time commitment.

All these points highlight crucial challenges for the internal audit function and in particular:

  • the reinforcement of competencies and expertise of the overall internal audit staff. The skill mix needs to include accounting, expertise in compliance checking, treasury management, IT and strategic thinking;
  • within a banking group, it is also important to ascertain whether there is a good balance between the organisation of internal control functions at group level and the way that internal control functions operate at entity level; these must be closely aligned. Naturally, according to the principle of proportionality, the structure and design of the internal control functions should be dependent on the size and complexity of the credit institutions.

Taking all this into account, if the internal audit function is assessed as reliable in the day-to-day supervision carried out by the JSTs because it is really independent, empowered and able to raise material issues with the management board and to enforce its recommendations within the institution, then a fruitful and enhanced channel of two-way communication can be established, where both parties can benefit from a transparent discussion on the risk areas identified and the actual risk mitigation measures taken by credit institutions.

The supervisory dialogue with the internal audit function in the near future

In recent years, internal governance has been closely scrutinised. Consequently, the expectations incumbent on boards and senior management, and on those in charge of providing an independent and objective review of a credit institution’s operation, have been raised.

Now more than ever, a robust and capable internal audit function, with the skills to identify risk control deficiencies and with the independence and authority to pursue its role, is essential to also ensure the adequate discharge of management body responsibilities. In this vein, internal auditors are, as well, a traditional ally of the prudential regulator.

Perhaps there is also a lot of curiosity about the framework for the future relations between the internal audit functions and the SSM. In that respect, we fully acknowledge that internal audit is an internal function of credit institutions, directly reporting to the management body, but anyway I strongly believe that an enhanced channel of communication between these two parties would be very beneficial in order to extract synergies, when possible, for the work each has to perform.

How are the JSTs shaping their dialogue with the internal audit functions of credit institutions? Of course, we cannot generalise, because it is under each JST’s responsibility to establish specific tailor-made relations with the internal audit functions based on the specificities of each credit institution, its complexity and geographical diversification of activities; still, establishing the right relationships with the internal auditors will always feature high on teams’ agendas. In other words, the ECB provides the level playing field through a common methodology for the assessment across the SSM, but then the practical arrangements and practices concerning the kind of relations with the internal auditors are tailored to the specific features of the bank and of the JST itself.

It is clear that in shaping such a dialogue (or two-way communication channel), frequent meetings are the most useful tool and, in the context of the annual Supervisory Examination Programme, a number of meetings with the internal auditors are being planned, at different frequencies depending on the complexity of credit institutions and of existing issues.


As a conclusion, let me remind you of the extremely high stakes we face.

After the creation of the euro, banking union is the next logical step in the construction of our common European house, and a major one. The financial markets, the public and the international community are watching us, with understanding and encouragement, but also with a critical eye. We cannot afford to fail.

The ECB has been entrusted with this fantastic and stimulating challenge and is fully committed to making this work. We urge support from all sides, first and foremost from the banking industry.

We count also on your support. One of the lessons learned from the recent global financial crisis was precisely the need to strengthen overall corporate governance practices. The ECB values professional associations and their input towards a sound and comprehensive professional culture. The internal audit profession’s contribution is important to incentivise such a professional culture and you play a significant role in the development and general dissemination of principles, values, standards and rules of behaviour that guide the decisions, procedures and systems of an organisation.

Thank you very much for your attention.

[1]See “The internal audit function in banks”, Basel Committee on Banking Supervision, June 2012; “Corporate governance principles for banks”, Basel Committee on Banking Supervision, July 2015; and the “EBA Guidelines on internal governance” (GL44), September 2011.

Media contacts