Internal audit in financial services: a long time to wait for not very much

“Time is the old justice that examines all such offenders, and let Time try.”
As You Like It, Act IV, Scene 1 
As Canadian consultant Tim Leech pointed out in an ACCA column in 2009, internal auditors really didn’t have a good financial crisis.  Quite validly, Tim asked the question:

Not being fingered for even a portion of the blame in a catastrophic situation is a good thing for the internal audit profession, isn’t it?

His answer to this rhetorical question strikes at the heart of the utility and effectiveness of internal audit:

. . . the absence of even mild criticism of the internal audit profession is an indictment of the profession’s track record assessing and reporting on the effectiveness of their client’s risk management systems to help prevent catastrophic risk and control governance failures before they occur.

Although it sometimes seems like much longer, it is approaching six years since the global financial crisis started to unfold.  On 2 April 2007, the United States’ second largest mortgage originator, New Century Financial Corp of Irvine, California filed for relief under Chapter 11 of the United States Bankruptcy Code in Wilmington, Delaware.  The rot had begun to show.

The post mortems began to appear in earnest in early 2009, once the true scale of the impact of the US Treasury’s decision to allow Lehman Bros to fail in October 2008 became apparent.  As Tim Leech pointed out in in his column in February of that year, none of those post mortems sought to blame failings by internal auditors.  The first major industry review, the 2008 report of the Institute of International Finance, for example, barely referred to internal audit or the practice of internal auditing.

Similarly, in the UK, Sir David Walker’s 2009 review was scarcely resplendent with references to internal audit.  His logic for this was hardly flattering:

. . . failures that proved to be critical for many banks related much less to what might be characterised as conventional compliance and audit processes, including internal audit, but to defective information flow, defective analytical tools and inability to bring insightful judgement in the interpretation of information and the impact of market events on the business model.

However, with the passage of time, attention has turned to internal audit.  In mid 2012, the Basel Committee on Banking Supervision (BCBS) of the Bank of International Settlements revised its 2001 document on the role of banks’ internal audit functions and their supervision.  Its statement on the purpose of internal audit in banks is included as Principle 1:

An effective internal audit function provides independent assurance to the board of directors and senior management of the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation.

That’s pretty clear.  But how, precisely, will it do that?  The BCBS guidance is largely silent on the output from internal audit activity but does refer to review by both the audit committee and supervisors of internal audit reports.

Revelling in its chartered status, the UK’s Chartered Institute of Internal Auditors (hereafter UK Institute) has also recently reviewed the role of internal audit in banking, publishing a consultation document in February 2013.  Departing from recent practices, the UK Institute’s review advocates that the director of internal audit report to the firm’s chairman (noting it may be delegated to the chair of the audit committee).  It’s their guidance, they can, after all, recommend what they like.

More notably, the document states that the role of internal audit:

should be to help to protect the assets, reputation and sustainability of the organisation.

Hmmm.  This differs materially from the BCBS expectation around provision of assurance, although it may, of course, encompass the BCBS requirement for assurance also.

Interestingly, the UK Institute’s expectation of the focus of reporting also differs from the BCBS’ view, and includes:

at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.

That is, internal audit should prepare a periodic opinion on effectiveness of the control framework.  That is not an opinion on control, per se, but on the framework surrounding control.  In addition, the UK Institute’s document advocates including within internal audit’s scope of work, inter alia, “the setting of and adherence to risk appetite” and “the risk and control culture of the organization.”   Nowhere in the document are these terms explained or are methods for forming an opinion thereon offered.

Not everyone is a fan of periodic control opinions.  Tim Leech, for one, has written and spoken against them repeatedly.  As he noted in the ACCA piece:

The fact that more than one in every eight Sarbanes-Oxley section 404 control effectiveness opinions from management and external auditors in 2006 were later found, as a result of restatements of the financial statements, to be materially wrong should raise serious questions about the ability of auditors today, both internal and external, to form reliable conclusions on control effectiveness.

Usefully (well, not really), the latest revision to the IIA global standards differentiates between an engagement opinion and an overall opinion.  IIA is clearly leaving the door open for the growth of control opinions, thereby catching up with the reality of the post-Sarbanes-Oxley world.  But opinion over what?

Tim Leech favours reporting on the effectiveness of risk management systems.  As he said:

I believe without reservation that reporting on the current effectiveness of risk management systems is significantly more valuable than providing subjective opinions on the effectiveness of control.

The crux of Tim’s argument is that

management and auditors currently lack the necessary assessment frameworks, training and tools to provide reliable, repeatable conclusions on control effectiveness.

Yet I cannot see that such frameworks are any more clearly developed in relation to firms’ management of risk.  And certainly not in “the setting of and adherence to risk appetite” and “the risk and control culture of the organization.”  Tim elsewhere has advocated use of ISO 31000 standard as the basis for risk frameworks but the reality is that this standard has many detractors, me included, and offers no useful insight on either of these difficult topics.  One such detractor is Bob Kaplan of Balanced Scorecard fame who argues (see here) that we are not yet ready for standards in risk management and that there are dangers in doing so:

[I]n an environment with limited knowledge and experience, premature standard setting will inhibit innovation, exploration and learning.

The IIA itself notes the problems confronting internal auditors examining risk frameworks:

[I]nternal auditors who seek to extend their role in ERM [should not] underestimate the risk management specialist areas of knowledge (such as risk transfer and risk quantification and modeling techniques) which are outside of the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management.

The reality is that internal auditors’ knowledge, and knowledge more generally, in risk and internal control falls well short of the level necessary to produce comprehensive, reliable and replicable opinions on the performance either of firms’ risk management or of their internal control.   A key problem is the assumption of the value of standardization, as Kaplan states.  The rush to claim authority by COSO, by the PCAOB or SEC or by ISO simply inhibits innovation, exploration and learning by firms whose differing contexts and environments may well dictate different solutions to frameworks in risk management or in internal control.  Regulatory mandate should not be confused for authoritative knowledge.

In the area of internal control, for example, arguably the best work is by another Harvard scholar, Robert Simons, whose 1995 levers of control model represented a far broader approach than the subsequent, accounting-driven SEC versions of internal control.  It encapsulates many of the enfants bâtards that are now emerging around behaviour and control.

Instead of adopting dirigiste approaches of closing off innovation, standards-setters, regulators and professional bodies should be adhering to the Maoist dictum of “let a hundred flowers blossom.”  Academics should be supporting or even driving that innovation rather than falsely or prematurely asserting authority, as so many have done, especially in relation to risk management.  Research funding agencies in the UK should be supporting such innovation rather than being gulled in to believing there are singular answers to complex questions in risk management and internal control.

In the meantime, risk managers and internal auditors (and regulators, themselves) are left with a dilemma: how to proceed when there is regulatory pressure to enhance management practice in areas where there are not established or reliable bodies of knowledge?  ‘Carefully,’ and ‘with as much knowledge as possible’, would be my suggestions.  This will require a considerably greater emphasis on investing time and effort to acquire knowledge and insight, as opposed to cataloguing of other firms’ practices, than has been in evidence to date.

While, in the UK, the FRC may be on the verge of requiring greater attention to quantitative and integrative risk management practice than previously, the best argument for better knowledge and practice remains one of improving performance.  As recent US research by Booz&Co. shows, underestimating strategic risk is the principal cause of shareholder value destruction.  Addressing firms’ comparative advantages in risk-assumption and risk-bearing are existential requirements for all corporate firms; they cannot afford to wait for internal risk managers and internal auditors to catch up.  But catch up, in time, they must – or risk losing both their credibility and professional designations.

Our programme of training in risk management and assurance topics in March and April covers interview skills, enterprise risk management, risk in programmes & projects, culture & risk culture and strategy, risk & uncertainty.  For more information see here.


12 thoughts on “Internal audit in financial services: a long time to wait for not very much

  1. Peter, yes. Exactly.

    Internal auditors and the audit profession generally has energetically promoted risk management through risk-listing, usually based on muddled flipchart exercises without data. It is hard to see them rising to the challenge while they have that focus.

    I would agree with their advice, that you quote: “Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management.” But, I would add that they should work hard to acquire the requisite knowledge and start doing whatever reviews are reasonable as soon as possible.

    Obviously, I recommend my book, “A pocket guide to risk mathematics: key concepts every auditor should know”. And I do mean, EVERY auditor!

  2. . . . and many ‘risk managers’ are simply rebadged internal auditors; unreformed list-makers, as you say. I agree with your prescription and, perhaps surprisingly, I believe that, in due course, internal auditors should be expected to offer periodic opinions on internal control, however defined, suitably limited. I just don’t think current internal control (over financial reporting) frameworks are any particular use for that purpose. And I surprise even myself quoting Mao, but it was his most lucid utterance (even if the economic results were catastrophic). P

  3. Peter, I’ve only just found this article, but: do you think anything’s improved in the three years since you wrote this (insightful!) piece? Are, for instance, any of the professional associations moving the needle?

  4. Michael, thanks for the question. I am not optimistic. I was president of an IIA national chapter (NZ) in the 1990s and these debates were just kicking off – i.e., they’ve been going on for a long time with little change. Then, despite my strong admonitions, there was little structured thought given to risk by IIA. The late Bill Birkett of Univ. of Sydney led a global Delphi study for IIA Inc. that highlighted many of the knowledge gaps and knowledge development requirements (as part of the precursor to amending the standards early the following decade). Bill certainly understood my suggestions and, broadly, folded them in to his own work. But Bill’s efforts fell on deaf ears in Florida (home of IIA Inc.).

    In FS in the UK, I think there are more risk specialists in IA than there used to be; but that cannot solve the problem. At a system level, thinking on risk is skewed to technical analysis and epistemological issues and away from ontological issues – fundamental uncertainty. Also, most internal auditors operate strictly within their organisational frameworks rather than challenging them. That is a function of confidence, experience and technical competence (or lacks thereof). In the US, IIA has backed the tinkering with COSO which is NOT a sound control framework; COSO ERM is flat-out a problem. Here (UK), in influence terms, IIA (CIIA-UK) falls behind FSB, BCBS, national regulators and ICAEW (accountants) in terms of influence. Further, in my experience, the more people talk about ‘governance’, the less they understand the limits of the utility of the concept. So, in sum, to repeat, I am not an optimist.

    • As I feared. I’ve been kissing a lot of frogs these past five years, trying to find any official sources that bear some sort of relationship to managing actual problems. I’m down to posts from people such as you and Matthew Leitch, who commented when you wrote the post we’re discussing.

      > In the US, IIA has backed the tinkering with COSO which is NOT a sound control framework; COSO ERM is flat-out a problem.

      And yet, here we are. I liked your point about it being too early for standards.

      I saw a presentation by a “Ronin Auditor, battling peers who pledge allegiance to Their Control Framework” who had a slide showing the make-up of COSO. He’d assembled all of the logos for corporate villainy from sci-fi; Weyland-Yutani, ZikZak, Blue Sun, Lexcorp, BuyNLarge….

      Thanks for the swift response!

  5. COSO, yes, at length. COSO ERM, no. I’d struggle to stay civil. It is and always was dog-do.

    During it’s initial investigate phase (circa 2002-3, if I remember rightly), I tried to feed in informally through one of the original panel members – an academic. I plied him with directly relevant papers on risk, none of which he’d previously encountered, or so he’d said when we met in London. None of the many years of others’ collective wisdom made it in to the document. It was tragically lacking in intellectual framework, strong on process.

    When you are confronting profound epistemological and, especially, ontological challenges (as, inevitably, you are in risk generally), I’m not sure a cube is the answer. But what would I (or, for that matter, Bertrand Russell) know?

    • 8^)

      It strikes me as remarkable and worrying that I find such a rich vein of dissident commentary everywhere in this field, in such broad agreement, and yet the standards persist. I find myself perpetually grasping for good papers, books or training programs that would help me develop the needed grasp on real risk management to navigate the terrain while making do within the “frameworks” foisted upon us.

      Thanks for your comments!

  6. One of the best dissident commentators – whose feet remain firmly planted in the audit world also – is from your own home town (yes, I checked): Tim Leech. I’ve always disagreed slightly with Tim and have always enjoyed doing so. But the core of his message is pretty sound.

    Re the standards debate, you will have seen my contribution (and contribution thereto by Bob Kaplan). If you haven’t checked it out, the ‘ERM publications’ and ‘Other interesting stuff’ above offer some of the gems. The fundamental point is process is not thought. Hope that helps.

  7. Changing standards (and regulations) is incredibly difficult now that they have been issued with their Risk Listing content. With two projects I have been involved in that aimed to update an existing document the same thing has happened, which is that the projects have been incompetently managed at just about every turn and stubborn/blind defence of existing text has just continued even in the face of completely clear and convincing criticism and sensible alternative proposals.

    In the end the existing text is still in issue simply because the bumbling and time wasting has meant that nothing new could be agreed.

    The time and money wasted on failing to revise ISO 31000:2009 is staggering. The supposed ‘consensus’ is a fiction. Similarly, the time wasted by the APM’s Risk SIG failing to update its PRAM guide is beyond belief. These are supposed to be experts in risk management and (in the APM’s case) experts in projects and risk, and yet they can’t manage their way out of a paper bag.

  8. Matthew, as you know, I’m not close to that process precisely because I don’t place any value on the effect of application of the standards in a practical setting. But your assessment resonates with me. I’m not sure what the online symbols are for ‘deep and protracted sigh’, but let’s take it as read. P

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s