Internal Auditors – Key figures within a stable European banking sector

Speech by Pentti Hakkarainen, Member of the Supervisory Board of the ECB, at the ECIIA Conference, Frankfurt am Main, 21 November 2017

Ladies and gentlemen,

It is a pleasure for me to introduce today’s conference.

Events such as these provide great opportunities for Internal Audit representatives and European Supervisors to interact. So, it is excellent that, since 2015, this get-together has taken place on a regular basis. It is a very good tradition.

I encourage everyone to participate actively in proceedings today – actively sharing your thoughts, and learning from one another’s experiences.

In my speech today, I will first focus first on the important role that internal auditors play for the governance of European banks. Second, I will briefly talk about what European banking supervision does on internal audit, what we have achieved so far, and what our next steps will be.

Bank’s corporate governance and the role of internal audit

Good corporate governance is the cornerstone of safe and sound banking. It provides the checks and balances needed to prevent excessive risk-taking and ensure a sustainable approach is taken when devising business practices.

Achieving this good governance requires adherence to a few well known fundamental principles. First, it requires a clear definition of the roles and responsibilities of the board and of senior managers. Second, it requires an effective and independent risk management function, including strong compliance and internal audit operations. These internal control functions need sufficient standing, they must be independent from one another, and they require direct access to the board. Finally, the governance of the bank must be transparent. Relevant and important information must be disclosed to shareholders, depositors, market participants and other relevant stakeholders such as supervisors and regulators.

These principles form the basis upon which banks and supervisors should build. They help to ensure robust and transparent risk management and decision-making frameworks.

The importance of internal audit

The importance of good governance was once again demonstrated during the recent financial crisis. We all saw what can happen when governance is not as good as it should be, when controls are weak, and when risk gets out of hand.

In recognition of the lessons learned from the recent past, the legal framework in relation to corporate governance standards has been overhauled. The aim of this overhaul was to spell out the principles I have just mentioned in more detail and to help ensure that they are enforced. These goals are pursued both at the international level through guidelines from the Basel Committee of Banking Supervision, and at the European level – through the CRD IV and guidelines from the European Banking Authority.

In the euro area, it is up to European banking supervision to ensure that the banks effectively implement the relevant rules and principles. So, what is our view on governance and internal audit?

Specifically with respect to internal audit functions, I encourage all of you to rely on the principles published by the Basel Committee on Banking Supervision in June 2012. These principles should guide you when defining your modus operandi. They will help you to ensure that banks’ internal audit functions operate in line with supervisory expectations.

When we supervisors think about internal audit, we naturally focus on its role of overseeing the risk-taking of the bank. But we are also fully aware that the competencies and responsibilities of internal auditors go much further. These audits can cover the whole array of banking activities. Internal auditors can thereby help to ensure that operations and workflows are efficient; and that financial reporting is reliable.

It does not end there. Depending on the strategic position of internal audit, and on the maturity of the control environment – the Board of Directors and the audit committee might decide to broaden further the role of internal auditors. This can result in internal auditors being used as an internal “consultancy” of some description. In that role, internal auditors might propose new practices and processes to improve banks’ systems. Naturally, to preserve their independence such consultancy work should not take place in areas that will soon be subject to an internal audit – given the risk of conflicts that could be created.

This highlights something about the skill set of internal auditors. To carry out their duties effectively, internal auditors require a very broad range of skills – reflecting the broad scope of topics they are asked to face. Against this backdrop, continuous training of internal auditors is of paramount importance.

However, adequate skills are just one pillar of successful internal auditors.

Beyond this, it is also important for auditors to collaborate effectively with the other business areas of the bank. If business areas are willing to cooperate, they can provide internal auditors with comprehensive and valuable data and information. In turn, this allows informative and insightful findings to be reached.

Further, good audit functions require sophisticated and functional IT systems – as this allows swift and efficient data gathering, and analysis.

So once again, we see the multiple facets of internal audit in terms of roles, responsibilities and day-to-day tasks. Supervisors tend to stress how important internal auditors are as the ultimate gatekeepers against excessive bank risk-taking. However, we are also very conscious of the good work that internal auditors do beyond this.

In the end, all internal audit activities make a contribution to ensuring that banks conduct their business in a sound and robust manner. As such, they are one of the key building blocks of good governance.

European banking supervision and internal audit

So, I have set out some views on how internal auditors play a key role to ensure safe and sound banks. That’s why European banking supervision keeps a close eye on governance in general and internal audit in particular. Let me give you an overview of some key aspects of our work in this area, and provide some of the key lessons we have learned so far in the SSM from our analysis of this activity.

SREP

The first thing to mention is our Supervisory Review and Evaluation Process, or SREP as we call it. The SREP is our main tool for supervising banks, encompassing on-going and on-site supervision. In the SREP we analyse the business model of a bank, its governance and risk management, and any risks to its capital and liquidity positions.

So, when we analyse the risk governance and risk management of a bank, internal audit plays an essential role. Indeed, the governance and risk management of a bank have a significant impact on its overall risk profile and the sustainability of its business model. This is particularly true in the current climate, where banks are often facing multiple external challenges. In this environment we put an even greater focus on sound risk management.

Thematic review on Governance

Beyond SREP, the second thing to mention is our thematic review on governance and risk appetite. This high priority project took place during 2015, and the follow-up of the implementation of its findings and action points has continued ever since.

As a result of this review, in-depth assessments in the area of governance have also been performed on some institutions. Further, the outputs of this work have fed into the SREP on an ongoing basis. This means that banks are set specific deadlines to address any major governance weaknesses that have been identified. Where problems persist, SREP requirements intensify until improvements are delivered.

Various recommendations from the 2015 thematic review were directly addressed towards internal audit functions.

• First, the review recommended that boards’ oversight of control functions such as risk, compliance and internal audit should be strengthened.
• Second, the internal audit function should be fully independent of business lines. In practice, internal audit should have a direct reporting line to the board or to the audit committee (or its equivalent) and promptly inform senior management about its findings so that timely corrective action can be taken.
• Third, it was emphasised that internal audit is expected to be more involved in reviewing and overseeing the internal control framework of institutions. This means internal audit performs cross-cutting missions on the risk and compliance functions, for example focussing on - the risk appetite framework, recovery plans, and conduct risk.

The good news is that banks have made good progress in implementing the recommendations from our reviews. They have developed action plans to move towards best practices, and our supervisory dialogue with banks has been intensified. As a result, improvements have been observed in key areas of governance, some of them directly related to internal audit.

We note that significant progress has been made on the involvement of internal audit in risk appetite frameworks. Further, internal audit functions are recognised to have been active since 2015 in ensuring that supervisory actions are implemented.

All this said, there is still room for improvement. Banks still have scope to strengthen their governance, and to make further progress in bringing their internal audit functions into line with international standards. There is also still room to fully implement different supervisory actions related to the effectiveness of Boards and to more comprehensively implement risk appetite frameworks at business level. I will outline some further specific areas of potential future progress later on in my remarks.

On-site inspections on governance

Next to the SREP and our thematic review, on-site inspections on governance are the third relevant element of our work to mention.

In fact, many of our on-site inspections have focussed on governance. These inspections have helpfully revealed some issues where further improvements would be welcome.

One insight has been that the scope of internal audit is not always sufficiently broad. The aim should be to properly map all the potential risks a bank may incur. This requires internal audit to reach far enough to cover all the activities and all the entities of a banking group.

Our on-site inspection teams have also identified various more detailed ways in which internal audit could potentially be made more efficient. Banks with strong internal audit functions have tended to formalise internally their policies, roles, and reporting lines. This has been achieved, for example, by developing and agreeing internal audit “manuals” or “charters”. Such an approach can be a useful way to establish that internal audit functions are independent from the linked risk management and compliance functions.

We are also encouraging the banks to plan their audit activity in an adequately rigorous way. This means considering a multi-year perspective, whilst also leaving flexibility to react in a dynamic way to emerging issues. Likewise, resource planning needs to ensure that internal audit functions are equipped with the necessary skills to conduct intrusive reviews.

Improvements have been observed regarding the structural organisation of internal audit across the sector. However, in some cases further progress is required to ensure that internal audit is independent from the related risk management and compliance functions. Properly functioning links between these related functions are of course still required.

It is also crucial that all banks ensure that internal audit receives sufficient scrutiny by the board. In this regard, although the oversight of boards towards internal audit has improved, the degree of scrutiny needs to be enhanced in several institutions. This scrutiny should include activity such as challenging audit plans, and on examining the reasoning for any past-due recommendations.

Conclusion

Ladies and gentlemen,

To conclude, let me begin by re-emphasising my conviction that your work is very valuable for supervisors in fulfilling their mandates. I hope that the views I have outlined are taken into account as you make decisions on the organisation of your internal audit operations. This will help to allow all sides, including supervisors, to get the full benefit from your valuable work. Likewise, I hope my words today have allowed you to see some of the benefits of supervisory work in helping you to achieve your objectives.

Of course, notwithstanding these points about the scope for us to work together for the sake of mutual benefits – it is also important to stress that internal auditors should remain independent. I assure you that I understand this also means independence from the supervisor.

I have emphasised today how vital internal auditors are for sound governance. Into the future, we will continue to be allies in this area – and I look forward to good cooperation as we seek to ensure strong corporate values, to disseminate best practices, and to ensure decision making processes are robustly designed.

Since European banking supervision has been established, the supervisory dialogue with banks and internal audit has continuously improved. Internal auditors are well on track in implementing supervisory actions directly addressed to them. It is nonetheless important that we all continue to pursue further improvements, in order to reach the highest international standards and to further strengthen corporate governance. These efforts are all highly worthwhile, given the indispensable importance of good internal audit for achieving a safe and sound banking sector that can reliably finance the real economy.

Thank you for your attention.