15 May 2024
Banks must have sound and effective risk management, governance and internal control processes in place. A strong internal audit function plays a crucial role in ensuring that a bank’s governance arrangements and internal control mechanisms are suitably robust. As the third and last line of defence, the internal audit function reviews the effectiveness and efficiency of a bank’s internal control framework and provides objective assurance that all its activities and units comply with the rules. This is why supervisors thoroughly examine this risk area.
In line with the European Banking Authority’s guidelines on internal governance, the ECB expects banks to have a robust and fully independent internal audit function in place. The internal audit function must be responsible for drawing up, implementing and monitoring the bank’s audit cycle and audit plan. It should follow up on any relevant audit findings and escalate these to the management body in its supervisory function where needed.
ECB Banking Supervision has carried out extensive reviews of the internal audit function of banks over the past few years, including bank-specific deep dives and horizontal analyses. This article provides an overview of the observations made and sound practices identified. It focuses on four key drivers of effectiveness: (i) the governance of the internal audit function, (ii) the audit cycle and audit plan, (iii) resources, and (iv) the stature of the internal audit function.
Examples of good practices in an internal audit function
Area | Good practice |
Governance |
|
Audit cycle and audit plan |
|
Stature of the function and follow-up on internal audit findings |
|
In terms of governance, the bank’s internal audit function must be independent of the audited activities. It should report to the board (or audit committee) on all matters falling within its remit. Almost all significant banks have appropriate reporting lines in place that ensure the independence of the internal audit function, including direct access to the management body in its supervisory function. Nevertheless, the limited involvement of the management body and audit committee (or equivalent) in overseeing the activities and effectiveness of the function is an area that has attracted supervisory attention. Some banks have scope to increase the role played by the management body in its supervisory function in the processes for appointing the head of the internal audit function, setting objectives for them and assessing their performance. Finally, not all banks have defined control-related key performance indicators for the head of the internal audit function, and its staff and performance indicators often rely excessively on the institution’s profit margins and performance.
All activities and entities of the banks (including other control functions) should fall within the remit of the internal audit function. With regard to the audit cycle and audit plan, banks’ internal audit functions have generally developed risk-based methodologies that cover their control framework. However, in some cases, the audit plan should be more comprehensive, as it does not sufficiently cover the follow- up of supervisory findings, the implementation of the risk appetite framework, or climate and environmental risks, for instance. Likewise, some subsidiaries and branches should be better reflected in the group audit plan.
The internal audit function must have the necessary resources and skills to carry out its duties in accordance with the internal audit plan. However, supervisory assessments have revealed that internal audit staffing remains an area that requires attention for several banks, both in terms of the number of auditors and in terms of expertise to perform specific skills (e.g. IT and cybersecurity). On average, staff working in the internal audit function represent 1% of total staff for significant banks. Furthermore, many banks have not yet implemented any clear rotation process for internal audit staff.
An effective internal audit function provides independent assurance of the quality and effectiveness of a bank’s internal control environment. In this respect, the internal audit function is generally well established, having sufficient stature and visibility. However, several insufficiencies have been identified; for instance, some audit reports are not exhaustive enough and the ratings assigned to findings do not always reflect the severity of the underlying issues. Some banks still need to implement an escalation process for findings in the event of disagreement between the business unit and the internal audit function. Finally, some banks need to improve their follow-up process for audit recommendations.
Specific recommendations have been issued to banks to address these shortcomings. ECB Banking Supervision will continue to assess banks’ progress in enhancing their internal audit function through peer benchmarking, sharing good practices and ongoing industry dialogue, including with internal audit functions and their representatives. The upcoming guide on governance and risk culture will also further clarify supervisory expectations in this area.
Eiropas Centrālā banka
Komunikācijas ģenerāldirektorāts
- Sonnemannstrasse 20
- 60314 Frankfurt am Main, Germany
- +49 69 1344 7455
- media@ecb.europa.eu
Pārpublicējot obligāta avota norāde.
Kontaktinformācija plašsaziņas līdzekļu pārstāvjiem