CPAA Insight: Culture, corporate governance & the internal auditor

Brought to you by
Kashflow logo
Share this content

The following special feature appeared in the November 2012 edition of CPAA's magazine, Practising Accountant

Susannah Hammond and Stacey English from Thomson Reuters unveil a new report on the shifting expectations of internal audit

THE FINANCIAL CRISIS has sparked significant changes in the philosophy, intensity and approach of financial services regulation around the world. 

Whilst the immediate priority was to stabilise and repair firms’ balance sheets the deluge of change has progressed to incorporate prudential and capital reforms as well as conduct of business, including a specific focus on the culture of firms and the effectiveness of corporate governance arrangements. 

Allied to the increased focus on culture and corporate governance is a re-assessment of the internal audit function’s role in financial services firms and the growing acknowledgement of the increased need for a strong, well resourced, independent internal audit function operating in close coordination with other risk and compliance control functions. 

Shifting expectations

The expectations on internal audit functions are shifting both internally and externally. On the one hand chief executives, boards, audit and risk committees all have increased expectations of the depth and quality of the work to be performed by their firm’s internal audit function. On the other hand, regulators are seeking to be able to place more reliance on internal audit.  

As a consequence, regulators which have historically liaised with and addressed guidance to compliance functions are increasingly directing their guidance and feedback specifically towards internal auditors.  All of this, combined with the anticipated changes to the external audit marketplace will alter the dynamic and balance of work undertaken by any internal audit function.

Internal auditors in common with the other control functions within financial services firms are having to cope with regulatory change, increased expectations and more intense scrutiny of their work at a time of constrained budgets, increasing competition for risk management skills and continuing economic pressures. All in all internal auditors need to be able to do more with less.

New survey

In the first half of 2012, Thomson Reuters Governance Risk and Compliance surveyed nearly 2000 firms around the world. This report analyses the responses of nearly 500 firms which undertake financial services business, including banks, insurers and investment managers. 

There are specific challenges and priorities for internal audit functions of financial services firms but many of the lessons to be learned are applicable to all internal auditors and good culture and corporate governance within firms across all sectors and industries.

 The results of the survey showed a sometimes significant disconnect between what internal auditors were doing and what they felt they should be doing. There were also regional variations in both the topic and size of the disconnection. 

Internal auditors are becoming more aware of the need to increase their focus on areas much wider than simply the controls around the production of the financial statements. Crucially there is recognition of the growing and vital role the internal audit function needs to play in the assessment and support of effective corporate governance in the firm.

Internal audit functions could consider themselves fortunate that they have not come in for more direct criticism following the failure of so many high profile firms. Going forward the visibility around internal audit’s role and remit is set to increase. 

Regulators and firms will both be looking to the internal audit function to act as more than a tick-box mechanistic assurance function and to give robust assurance on more qualitative issues such as corporate governance and culture. 

Internal auditors need to be aware of their changing regulatory environment and associated expectations and in this they may seek to leverage the knowledge and approach of their compliance function who have been dealing with very similar issues in recent years.  

The new IIA code “is a crucial contribution in the drive to improve corporate governance in the financial services sector”  Andrew Bailey (MD, UK FSA & Executive Director, Bank of England)

The future does not come without risk for the internal audit function. The increased regulatory focus and scrutiny means that the function and in particular its senior managers could in some parts of the world face sanction should regulatory expectations and requirements be breached. 

As external auditors are facing up to the prospect of a fiercer supervisory environment so internal auditors have to understand that as their remit grows so do their regulatory obligations. 

The increased risk is not without its compensations. Internal audit has always been a valued part of a firm but going forward and alongside the other risk and compliance functions, the internal audit function has the opportunity to fill a vital, business critical role at the heart of not only risk management within their firm but also effective corporate governance and a positive risk culture.

"The time is right for a genuine debate about the appropriate level of sanction for professional misconduct by accountants"  (UK AADB Chairman Timothy Walker)

Thomson Reuters GRC’s report on culture, corporate governance and the internal auditor not only presents survey findings from firms around the world but also considers the role of the audit committee, the interaction between internal audit and other control functions as well as the swathe of regulatory reforms which will impact internal auditors. 

The report examines the impact of the changes in the external auditor marketplace and the ramifications for firms and their internal audit functions. It also specifically assesses what good now looks like for the successful internal audit function of the future. 

What good looks like for internal audit, along with the other risk and compliance functions, will vary from firm to firm as the risk management arrangements must be tailored to the exact business being undertaken by the firm. 

One size most definitely does not fit all. That said there are several key features of best practice which are universal for all firms where all significant risks are identified, assessed, monitored and mitigated appropriately.

The full survey report can be downloaded from  

GRC solutions from Thomson Reuters

The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive suite of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. 

Through the Thomson Reuters Accelus suite, we bring together market-leading solutions for global regulatory intelligencefinancial crimeanti-bribery and corruptionenhanced due diligence, compliance managementinternal audite-learningrisk management, and board of director or disclosure services.

Share this content