banking audit and its particularities

Yesterday’s controller of processing and operations regularity, today’s bank auditor is an expert in diagnosing operational processes and controlling risks, a project manager operating in a complex environment, and a banking specialist.

This profile also makes them a major player in risk management and value creation for the bank.

Principles Issued by the Basel Committee on Banking audit

Monitoring Activities and Correcting Deficiencies

The overall effectiveness of the bank’s internal controls should be constantly monitored. Monitoring key risks should be part of the bank’s day-to-day operations, as should periodic assessments by business lines and internal audit.

As banking is a dynamic, rapidly changing industry, banks must continually monitor and evaluate their internal control systems in light of changing internal and external conditions and strengthen them as needed to ensure their effectiveness.

Monitoring the effectiveness of internal controls is a task that can be performed by staff from a variety of sectors, including those responsible for the operations themselves, financial control, and internal audit.

For this reason, it is important that senior management clearly designate auditors and specify their monitoring functions. Monitoring should be part of the bank’s daily activities but also requires periodic specific assessments of the entire internal control process.

The frequency of monitoring of different activities should be based on the risks involved as well as the pace and nature of changes affecting the operating environment.

A continuous monitoring process can help identify and quickly correct deficiencies in the internal control system. It achieves maximum effectiveness when the internal control system is integrated into the operating environment and results in regular reports that are reviewed.

Ongoing monitoring includes, for example, the review and approval of current records and management’s consultation and approval of reports on exceptional events.

Specific assessments, on the other hand, generally detect problems only after the fact; however, they allow an organization to have a recent and comprehensive overview of the effectiveness of the internal control system and monitoring activities.

Internal control system assessments often take the form of self-assessments, where individuals in charge of a specific function determine the effectiveness of controls for their activities.

Documents and results relating to the assessments are then submitted to senior management. Reviews conducted at all levels should be adequately documented and communicated promptly to the appropriate level of management.

An Effective and Comprehensive Internal Audit of the Internal Control System

This audit should be conducted by well-trained and competent personnel with operational independence. The internal audit function, as part of the internal control system oversight, should report directly to the board of directors, or its audit committee, as well as to senior management.

The internal audit function is a major component of ongoing oversight of the internal control system because it provides an independent assessment of the adequacy of established policies and procedures and compliance with them.

It is essential that the internal audit function be independent of the bank’s day-to-day operations and have access to all activities conducted by the banking organization, including its branches and subsidiaries.

By reporting directly to the board of directors or its audit committee as well as to senior management, internal auditors provide objective information on the various activities.

Due to the importance of this function, internal audit must be staffed by competent and well-trained personnel with a thorough understanding of their role and responsibilities.

The frequency and scope of internal control reviews and tests conducted within a bank by internal auditors should be commensurate with the nature and complexity of the organization’s activities and the risks associated with them.

The attachment of the internal audit function to the highest level of the banking organization allows for good corporate governance.

The board benefits from information that cannot be adjusted in any way by the levels of management covered by these reports. The board should also enhance the independence of internal auditors by ensuring that matters such as their compensation or budgetary allocations are addressed by the board or senior management rather than by managers who are affected by the work of internal auditors.

Notification by Internal Audit of Internal Control Deficiencies to the Board

Internal control deficiencies, whether detected by a business line, internal audit, or other control personnel, should be reported promptly to the appropriate level of management and addressed promptly. Significant deficiencies should be reported to senior management and the board of directors.

Internal auditors must follow up or otherwise appropriately monitor and promptly inform senior management or the board of any uncorrected deficiencies. To ensure that all deficiencies are addressed at the earliest opportunity, senior management should be responsible for establishing a system to track internal control weaknesses as well as actions to address them.

The board of directors and senior management should receive periodic reports identifying identified control issues. Issues that appear minor in individual checks may well reveal trends that, from an overall perspective, may represent a major control deficiency if action is not taken in a timely manner.

Bank Internal Control and Internal Audit

Bank Internal Control

“Internal control is the process implemented by an organization’s board of directors, management, and personnel, designed to provide reasonable assurance regarding the following objectives: the conduct and optimization of operations, the reliability of financial operations, compliance with applicable laws and regulations”.

Internal control is generally defined as all the measures which, under the responsibility of the company’s management, are intended to ensure, with reasonable certainty, the achievement of the following: orderly and prudent conduct of business, framed by well-defined objectives; economical and efficient use of resources; adequate knowledge and control of risks to protect assets; integrity and reliability of financial and management information; compliance with laws and regulations as well as general policies, action plans, and internal procedures.

Part of these measures focuses on verifying and encouraging the company’s compliance with rules relating to the integrity of the provision of financial services. In other words, it relates to the so-called compliance function.

Finally, the internal audit function is an important tool for verifying the proper functioning, effectiveness, and efficiency of internal control, including the compliance function.

As part of its work, internal audit provides the company’s management with analysis, evaluations, recommendations, advice, and information on the activities reviewed, thus contributing to better management of the company.

An adequate internal control system requires an effective set of integrated measures, adapted to the organization and functioning of the institution, and in accordance with the principles of prudent and sound management.

The main objective of internal control is to analyze, monitor, detect, and prevent the risks faced by banking institutions. The main risks are: credit risk, market risk, interest rate risk, liquidity risk, settlement risk, operational risk, and legal risk.

Banking control must be conceived through a preventive approach so that the institution conducts its business in a sound and safe manner. This control is not limited to the sole examination of compliance with quantitative standards, but also relies on the quality of managers, market discipline (through better financial transparency), and the quality of control and risk management by banking institutions.

Internal control is a system that operates continuously at all levels of the bank. As such, it is an essential component of the management of an institution and an element of its culture by making all staff aware of the importance of control.

Internal control must allow the institution to maintain its ability to identify, react, and adapt when risks occur.

Therefore, the internal control system must provide for four levels of control:

• Daily checks carried out by the performers (first-level control, first degree).
• Continuous critical checks carried out by the persons responsible for the administrative processing of operations (first-level control, second degree);
• Checks carried out by members of management on activities or functions falling under their direct responsibility (first-level control, third degree);
• Checks carried out by the internal audit department (second-level control).

Bank Internal Audit

Recall that: “Internal Audit is an independent, objective activity that provides an organization with assurance on the degree of control over its operations, advises on ways to improve them, and contributes to creating added value. It helps the organization achieve its objectives by evaluating, through a systematic and methodical approach, its risk management, control, and governance processes, and by making proposals to enhance their effectiveness.”

Internal audit, responsible for ensuring the consistency and effectiveness of internal control, is at the heart of the bank’s internal control system. To ensure its effectiveness, requirements must be verified:

• Permanent nature;
• Independence;
• Audit charter;
• Objectivity;
• Professional competence.

Borrowing the internal audit approach described above for the performance of its work, bank audit relies on some additional features:

• Annual audit plan;
• Mission programs;
• Working papers;
• Summary and detailed reports;
• Mission follow-up.

The annual audit plan is determined according to the “ANA” (Audit Needs Assessment) methodology by determining audit priorities and the frequency of audits, which must be based on the degree of risk.

To develop it, an audit plan is determined in several stages:

• Analysis of flows and activities;
• Ranking according to impact and probability;
• Development of the risk map.

Therefore, the risk map is considered as:

• A tool for planning, managing, and monitoring banking risks;
• An instrument to help adequately control risks;
• A tool for managing the internal control system.

Thus, to successfully carry out its mission and contribute to creating added value for the bank, the bank audit must adopt a simple, pragmatic, and effective approach.

Bank Internal Audit Device

Internal audit, directly attached to the top management of the banking institution, is independent of any entity, any business, and any operational unit. It is therefore in no way involved in the day-to-day running of the activities it controls.

Internal audit carries out, periodically and as often as necessary, on-site and/or desk missions, the objective of which is to verify:

• Compliance with external regulations;
• Compliance with internal rules;
• Compliance with management decisions and the implementation of means adapted to their application;
• Identification and control of risks of all kinds, both before and after the initiation of operations;
• The reliability and relevance of information, measures, or methods used at the local level for financial management or risk control purposes;
• The reliability and completeness of information reported to the central level for consolidation;
• The existence, relevance, and correct application of operational procedures;
• The quality as well as the fair valuation and accounting treatment of assets and liabilities;
• The establishment of sufficient procedures and means to ensure business continuity;
• The traceability of transactions and their processing;
• The effectiveness and consistency of the internal control system.

An Expanded Scope of Intervention

Yesterday, the auditor was concerned with a limited scope with an approach that was essentially very close to the details. Today, in fact, their scope of intervention is much broader: they are responsible for diagnosing very sophisticated reporting systems and piloting devices, systems used by senior management, which means that auditors are in contact with the bank’s general staff, in an approach that is second to none to that of the consultant.

Thus, to implement this approach effectively and credibly, it is necessary to involve only specialized auditors and, when necessary, to provide them with the support of highly specialized experts for the most technical aspects.

All-Risks Audit

An example among others: market risks, information system risks, and the means implemented to deal with them. Today, banks are asked to master, manage, and control these risks. From the moment they enter the bank’s risk map, it means that you need to have the necessary skills to have a critical look at these risks.

These are new horizons for the banking audit profession, so we must have competent, trained teams and specialists who can understand in detail everything behind it and talk on equal terms with the auditees.

For this type of risk, we recruit in particular financial engineers with extremely advanced mathematical knowledge, sometimes complemented by experience in trading or risk control in a bank.

A Global Approach

A pile of technical solutions (IT, but also accounting, legal, tax, financial…) cannot ensure the security of an information system without overall cohesion of these different elements. This requires the implementation of a truly effective organization within the bank.

For banking audit, it is therefore a question of setting up a structured approach integrating the strategic, organizational, and human components but also the risk, cost, and efficiency factors.

Purpose, Role, and Approach of Bank Audit

Purpose of Bank Audit

Banks face an increasingly challenging socioeconomic environment. The risks they face have become more numerous, more significant, and more complex.

In the current economic context, banks need more than ever to have an effective and sophisticated risk management system that can ensure rapid reaction to the emergence of new risks. The purpose of such a system would be to preserve their financial soundness, continue to grow, and bring confidence to the market.

The internal audit function is an important tool for verifying the proper functioning, effectiveness, and efficiency of internal control, including the compliance function.

As part of its work, internal audit provides bank management with analysis, evaluations, recommendations, advice, and information on the activities reviewed, thus contributing to better management of the bank.

Supervisory authorities require each bank to have an internal organization that is adequate in relation to the business carried out and the risks incurred. Hence the need for a high-performance audit and risk management system.

Role: Verification of the Proper Functioning of Internal Control

To take into account the importance of risk management in a bank, a number of principles have been clearly defined, including the role and responsibilities of management (board of directors and senior management), control activities and the separation of functions, the need to have up-to-date, reliable, consistent, and accessible information.

The board of directors must ensure the implementation and maintenance of consistent internal control, set limits within which risks are incurred, and ensure the implementation of risk identification, assessment, monitoring, and control measures. It is then up to senior management to implement these principles and in particular to develop related control procedures.

Internal audit, an independent unit reporting directly to the board of directors, has as its primary role to verify the proper functioning of internal control.

At the same time, we are witnessing a development of audit committees, emanating from the board of directors, composed of more and more specialists in the various fields concerned (accounting, regulatory, legal, private banking, etc.).

The audit committee ensures regular communication with the external and internal audit, ensures the quality and independence of their work, and informs the entire board of directors, through synthesized reports on the major findings and recommendations identified.

The Risk Approach at the Heart of Bank Audit

As part of the supervisory concept, the central bank exercises supervision of banking institutions indirectly. That is, based on the work of internal and external auditors.

Thus, in its role as a body for verifying the proper functioning of internal control, the bank auditor is given a much broader role. They do not only check the regularity of the processing of operations. They must also take a position, in a report to the bank’s board of directors, on compliance with the conditions for a bank’s authorization.

In addition, they must also ascertain (non-)compliance with banking regulations, comment on the financial situation, and in particular present quantitative and qualitative indications on the risk situation (adequacy of risk policy, management, and control).

To fulfill their role, auditors use methodologies based on the analysis of the environment, existing or potential risks, and the internal organization of a bank.

• Understanding the Environment

First, a diagnosis is made on the interaction of the bank in its environment. Who are the customers? What are the products offered? In which markets and geographical areas does the bank operate? Who are the stakeholders and what are their expectations? What is the economic situation? What are the regulatory changes? etc.

This first step allows us to identify the risks arising from banking activities (business risks), such as: sensitivity to changes in economic indicators (exchange rates, interest rates, etc.); competition; trends and developments in the environment (e.g., taxation of savings, the central bank’s new ordinance on money laundering); technology (e-business, IT suppliers, information availability, and security…).

• Assessing Risk Culture

The second step is to assess the bank’s risk culture and the degree of sophistication of its risk management system and internal control. Its starting point is the risk policy, which reflects the bank’s understanding, measurement, and control of risk.

In the face of each of these, institutions adopt certain behaviors: avoid a risk (e.g., not entering a new market or offering a particular type of service); reduce or transfer a risk (e.g., use of credit derivatives), and finally, accept a risk. Once this framework is in place, the bank must identify, define, and measure the risks and assign a risk owner for each of them.

Then, it is necessary to set risk tolerances (limits), then establish monitoring and reporting of the evolution of risk exposure, both individually and globally.

• Assessment and Analysis of Each Risk

The auditor estimates the inherent risks in each area of activity (credit, human resources, information system, etc.). Risks can also be classified into three categories (see chapter 2):

Once the level of inherent risks has been assessed, the auditor needs to understand how these risks are managed and controlled.

In other words, they must assess the adequacy and effectiveness of the measures taken by the bank to minimize the risks incurred. So, if the significance of the risk is defined by the inherent risk, the ability to manage this risk is defined by the internal control system in place.

The combination of the estimated levels of inherent risk and control risk then allows the auditor to determine the extent, frequency, and methods of verification they need to undertake, in accordance with the principles of the profession.

• Compliance with Licensing Requirements

The analysis of inherent risks and the internal controls in place ensures that risks are properly identified and reflected in the annual accounts. This work also allows an opinion to be expressed on compliance with authorization conditions and rules of conduct.

Finally, the application of such a methodology also makes it possible to identify opportunities for improvement and optimization of the internal control system and to communicate them to the bank in the form of recommendations or action plans.

In the current economic context, effective risk management is more crucial than ever to preserve a bank’s financial soundness and bring confidence to the market. Banking supervisors need to integrate this need into the existing regulations, which will, however, be further strengthened with the introduction of the new Basel II accords.

The recent development of corporate governance, along the lines of the foundations of internal control recently redefined by the central bank, is gaining importance in risk management.

Risk Management: A Continuous Process

Risk management and internal control must therefore be understood as a continuous process, the application of which must be guaranteed at all times. This process must ensure the identification of deficiencies and the taking of appropriate corrective measures.

The analysis of this dynamic process is at the heart of the bank audit approach and work. It is not just a static assessment of risks at a given point in time.

The risk analysis and the resulting bank audit approaches must be communicated and validated with the board of directors or the audit committee. Communication and understanding of the roles of the different actors in banking supervision will certainly be facilitated and improved.

As for the transparency of decisive information on the risk situation, it will contribute to strengthening confidence and improving good banking governance.

Conclusion

In a changing environment, the internal auditor can play a role that goes far beyond that of “controller” to become a “catalyst” encouraging business leaders to act…

In any case, the existence of an internal audit structure within a bank reflects the affirmed desire on the part of its management to equip themselves with a tool to limit risks, make the existing organization more efficient and effective.

Internal audit can play a significant role in bank efficiency. Thus, in the context of carrying out its mission, the auditor is well placed to identify, in addition to control problems, areas where controls are unnecessary, ineffective, and costly.

The auditor can also identify operational inefficiencies and may be tasked, beyond their usual mission, with consulting assignments.

It is still a matter of ensuring that the tool put in place is capable of carrying out the mission assigned to it. Certain conditions must be met for internal audit to be a truly effective tool.

Effectiveness, and therefore the result for the bank, will be all the greater if each of its criteria has been optimized, thus making a significant contribution to the whole. This optimization, however, has its limits, which can be classified into four broad categories, according to their nature:

• A first limit is linked to people, to auditors of course, given their ability to perform the function, their knowledge, their training, their intrinsic qualities, but also to the auditees and their behavior or the possible questioning of their way of working and their habits. Finally, the attitude of managers and the support they provide to their internal audit structure is a major guarantee of success.
• A second limit is the efficiency/cost ratio. The existence of an efficient audit structure is expensive in terms of salaries, travel expenses, and structural costs. The team must therefore pay for itself, and it is not always easy to measure its productivity concretely.
• The third limit is linked to the fact that the implementation of internal control often runs counter to immediate efficiency.
• The fourth type of limit concerns the rapid evolution of techniques and working methods. The example of IT, which now makes it possible to work in real time, is entirely in line with efficiency, but on the other hand, often leads to unauditable systems.