Give internal auditors more powers plea

INTERNAL auditors in banks and insurance firms should have “unrestricted” access and enough resources to do the job, according to new guidelines aimed at preventing more banking scandals.

A new code for internal auditors in the financial services sector also proposes they should report directly to company boards.

Internal auditors work within a company and help protect its assets, reputation and business by assessing and challenging risks and controls.

Sign up to our Business newsletter

However, they have been discredited by a string of scandals during the financial crisis, including the rigging of the London interbank offered rate (Libor).

The Financial Services Authority (FSA) also found Halifax Bank of Scotland ignored warnings from its internal risk officials and external auditor KPMG before it was rescued by Lloyds.

The code, written by the Chartered Institute of Internal Auditors (CIIA), in consultation with the Bank of England and FSA, said internal audit’s scope should be “unrestricted”.

“There should be no impediment to internal audit’s ability to challenge the executive and report its concerns,” said the proposed code.

The CIIA said internal auditors should report primarily to the chairman of the board of directors, rather than the chief executive, to ensure independence and authority.

Andrew Bailey, executive director of the Bank of England and chief executive-designate of the Prudential Regulation Authority, said: “The expectations of internal audit functions within financial services firms have hitherto been set too low.

“The regulatory authorities expect firms to have robust internal audit functions capable of providing genuine challenge to management and driving improved governance, risk management and internal controls. I hope that this guidance will help internal audit functions position themselves to achieve that.”

The new code says internal audit should have “sufficient and timely” access to key management information and a “right of access to all of the organisation’s records, necessary to discharge its responsibilities”.

Last week, Royal Bank of Scotland was fined $612m for rigging the Libor rate for several years under the nose of internal auditors.

In 2011, the bank’s internal auditors told the FSA that issues raised by a review of Libor setting were being addressed and “adequate systems and controls” were in place.

In December, the FSA fined Swiss bank UBS for similar abuses, saying the “routine and widespread manipulation of submissions was not detected by compliance, nor was it detected by group internal audit, which undertook five audits of the relevant business area”.

The new code also calls for stricter assessment of firms’ risk appetite, as well as the “culture” in an organisation.

“Internal audit should include within its scope the risk and control culture of the organisation.

“This should include assessing whether the processes and actions are in line with the values, ethics, risk appetite and policies of the organisation.”

Old Mutual non-executive director Roger Marshall, who chaired the committee which drew up the draft code, said: “The new code is an important contribution to strengthening internal audit’s role in improving the management of risk, in response to the financial crisis and more recent examples of failure to exercise proper control.”

The code follows guidance recently issued by the Basel Committee on Banking and the US Federal Reserve Bank. It is the first time the internal auditors in financial services have been given sector-specific guidance.

The CIIA said the code is likely to lead to “significant change” for some organisations. But it added some of its detailed recommendations may not be suitable for smaller institutions.

The deadline for comments on the draft code is April 12.

The accounting regulator, the Financial Reporting Council, has also started a separate public consultation over when to ban external accounting firms from using internal auditors in their work.