Close
Close

Your message has been sent, thank you!

Print the page

Risk Management

Taking the holistic approach

Risk Management

Internal Audit

Five major drivers

Internal Audit

Islamic Banking and Finance

Interpretation & Implementation

Islamic Banking & Finance

Banking

Banking Regulation and Business

Banking

Treasury and Capital Markets

Market and Liquidity Risk

Treasury & Capital Markets

Financial Crime

Don't be scared, be prepared

Financial Crime

Internal Audit

Modernising the Internal Audit function

Tariq Khan, B.Com, FCA, PIOR, is an independent consultant and Fellow Chartered Accountant of the ICAEW. Whilst head of internal audit at a leading international Japanese investment bank he set up a cutting edge risk based audit function and played a pivotal role in the establishing of the Audit Committee along Turnbull guidelines. In this first in a series of articles on the changing role and the impact of bank internal audit he describes the Basel Committee guidance to this changing and critical function within a regulated bank.

In 1998, when the Basel Committee issued its paper titled "Framework for Internal Control Systems in Banking Organisations" the role of the audit function was for the first time given formal recognition. Principle 11 states: "There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately trained and competent staff. The internal audit function, as part of the monitoring of the systems of internal control, should report directly to the board of directors, or its audit committee and to senior management."

It also emphasised, in principle 4 of the same paper, that internal control systems will be deemed ineffective if they do not consider and recognise material risks in their design. Thus, for the first time risk assessment was formally linked to sound systems of internal controls. Although some institutions were already practicing risk based auditing, it was not until this paper was issued that it got official recognition. Recently, the Basel II Accord has reaffirmed these principles by stipulating that internal audit would have to capture in a larger way the application and effectiveness of risk management procedures and risk assessment methodology and critical evaluation of the adequacy and effectiveness of the internal control systems.

Basel II talks about risk based auditing in the context of management of operational and credit risk only, however, it has specific relevance to banks operating in emerging markets that are in the process of, or considering, implementing the accord. Whilst here in the UK we have had more than 10 years to practice risk based auditing, banks operating in emerging markets have now been forced to play catch up.

While the concept is straightforward, the application of a risk-based audit approach has taken many forms, from a once a year simple assessment of risk based on criteria defined by internal audit, or the board where these are available, to a much more complex model based approach where audit priorities and frequencies are reviewed and changed more frequently after considering the internal risk matrices of the bank. The choice depends upon the sophistication and risk maturity of the bank, capability of its audit team and the way in which the host regulators have translated these principles into their rule books.

Given the variety of risk-based forms available, for banks operating in the emerging markets, it is not a simple matter of just adopting a standard approach to risk-based audit as in practice there is no such thing. So what should a bank do when faced with modernising, or indeed establishing a new, audit function and what are the common traps that can endanger or derail its plans? It is perhaps best to discuss this question in the light of the UK experience. Why UK? Because perhaps the UK regulator has been the most advanced and successful regulator in the world in raising the profile and encouraging the firms under its supervision to take internal audit seriously.

Click here for the Modernising the Internal Audit Function Article

riskupdate