The ECB is sharpening its already significant scrutiny of European banks' internal audit functions. Clarity over its detailed expectations is growing, and internal audit is an increasingly common focus of on-site inspections. Banks should take a pro-active approach to meeting the ECB's expectations, and remember that assessments of internal audit quality feed into the SREP process.
The internal audit teams of Europe's banks face an increasingly dynamic and challenging set of expectations, including supervisory, commercial and technological pressures. As expected, the focus on internal audit remains a core activity for supervisors in terms of inspections. The starting point for these expectations is, of course, relevant EU rules and regulations. The most important are the CRR (particularly Articles 191 and 288), the CRD and the EBA's Guideline on Internal Governance.
Theory is one thing, but practice is another. Based on KPMG's observations of the market, they see the following areas as among the ECB's most important current expectations for internal audit functions.
Staffing & Training. It seems that the ECB is using a 1% threshold for banks’ total staff to be allocated to IA functions. In Germany, 'good practice' benchmarks are often higher. However it seems that many banks have struggled to reach this threshold, potentially leading to difficult decisions about the scope and prioritisation of IA work. The quality of teams is key too - the availability of staff with specialised mathematical, statistical or technology skills is often challenged. JSTs also review training budgets and plans to ensure sufficient levels of knowledge and expertise.
Methodology. IA functions need to demonstrate robust audit approaches and coverage for the past five years and the next three. Areas of interest include planning, risk prioritisation, adherence to audit plans. OSIs can lead to banks being required to increase audit units and staffing.
Automation. The ECB expects IA teams to use data analytics in their work (for example, in order to cope with the huge amount of credit lines to review), but only to complement manual audit techniques. It is seeking a balance between machine and human activity, allowing IA functions to enhance efficiency while retaining key skills and appropriate levels of scepticism.
Audit cycles. The ECB appears to view a three year audit cycle as the absolute minimum, apart from high-risk or sensitive topics that are explicitly subject to annual review - such as the ICAAP and ILAAP.
Independence & Quality. It is crucial for IA teams to be able to demonstrate that they are working to high standards of quality and independence. That covers every stage of the audit process including initial findings, quality assurance, the response of audited units, and the communication of findings to Boards and senior management. One example of independence can be seen in how IA teams are remunerated and what kind of goals they are set.
Follow-up. The ECB expects IA functions to follow up actively on their own findings and those of supervisors, along with any remedial actions taken in response - and to report back to Boards on this process.
Compliance. IA functions are expected to actively monitor banks' compliance with key aspects of regulation, including a wide range of topics such as outsourcing, non-performing loans and leveraged finance.
Status & Influence. JSTs want to ensure that Heads of IA have good Board access, that they report regularly to Audit Committee Chairs, and that Chairs are providing an appropriate degree of challenge to their work.
In short, banks should be proactive regarding the ECB's levels of expectation for their IA functions. Not only can they expect JSTs to follow up closely on any IA related findings arising from OSIs, they should also remember that an assessment of the IA department always forms part of the annual SREP process.
Source: Expectations grow for Internal Audit