The ECB is sharpening its already significant scrutiny of European banks' internal audit functions. Clarity over its detailed expectations is growing, and internal audit is an increasingly common focus of on-site inspections. Banks should take a pro-active approach to meeting the ECB's expectations, and remember that assessments of internal audit quality feed into the SREP process.
The internal audit (IA) teams of Europe's banks face an increasingly dynamic and challenging set of expectations, including supervisory, commercial and technological pressures. We have written before about the effect this is having on IA functions.
As expected, the focus on IA remains a core activity for supervisors in terms of inspections. The starting point for these expectations is, of course, relevant EU rules and regulations. The most important are the CRR (particularly Articles 191 and 288), the CRD and the EBA's Guideline on Internal Governance (PDF 800 KB). Investment firms are also covered by MiFID 2, and national supervisors sometimes use their own complementary IA standards alongside European requirements. The fact that some large banking groups are considering outsourcing IA activities means that the ECB is also increasingly focused on compliance with the EBA's Guideline on Outsourcing.
Theory is one thing, but practice is another. In reality it is on-site inspections (OSIs) by joint supervisory teams (JSTs) that show just how much scrutiny the ECB is putting onto banks' IA functions. We are aware of several OSIs targeted solely on IA departments; in one case we have seen an investigation of the IA function lasting over four months and involving a large inspection team, lending credence to the ECB's stance on deep investigations. The ECB is also using OSIs with a broader focus on Internal Governance to assess IA functions.
Based on our observations of the market, we see the following areas as among the ECB's most important current expectations for IA functions.
· Staffing & Training: It seems that the ECB is using a 1% threshold for banks’ total staff to be allocated to IA functions. In Germany, 'good practice' benchmarks are often higher. However it seems that many banks have struggled to reach this threshold, potentially leading to difficult decisions about the scope and prioritisation of IA work. The quality of teams is key too - the availability of staff with specialised mathematical, statistical or technology skills is often challenged. JSTs also review training budgets and plans to ensure sufficient levels of knowledge and expertise.
- Methodology. IA functions need to demonstrate robust audit approaches and coverage for the past five years and the next three. Areas of interest include planning, risk prioritisation, adherence to audit plans. OSIs can lead to banks being required to increase audit units and staffing.
- Automation. The ECB expects IA teams to use data analytics in their work (for example, in order to cope with the huge amount of credit lines to review), but only to complement manual audit techniques. It is seeking a balance between machine and human activity, allowing IA functions to enhance efficiency while retaining key skills and appropriate levels of scepticism.
- Audit cycles. The ECB appears to view a three year audit cycle as the absolute minimum, apart from high-risk or sensitive topics that are explicitly subject to annual review - such as the ICAAP and ILAAP.
- Independence & Quality. It is crucial for IA teams to be able to demonstrate that they are working to high standards of quality and independence. That covers every stage of the audit process including initial findings, quality assurance, the response of audited units, and the communication of findings to Boards and senior management. One example of independence can be seen in how IA teams are remunerated and what kind of goals they are set.
- Follow-up. The ECB expects IA functions to follow up actively on their own findings and those of supervisors, along with any remedial actions taken in response - and to report back to Boards on this process.
- Compliance. IA functions are expected to actively monitor banks' compliance with key aspects of regulation, including a wide range of topics such as outsourcing, non-performing loans and leveraged finance.
- Status & Influence. JSTs want to ensure that Heads of IA have good Board access, that they report regularly to Audit Committee Chairs, and that Chairs are providing an appropriate degree of challenge to their work.
In short, banks should be proactive regarding the ECB's levels of expectation for their IA functions. Not only can they expect JSTs to follow up closely on any IA related findings arising from OSIs, they should also remember that an assessment of the IA department always forms part of the annual SREP process.