This second part in the series on ‘governance of internal and external audits’, provides an in-depth overview into the design of the internal audit function, which, despite being a critical one, is often ignored in many DFIs/FIs. It also touches on other aspects related to effective efficient and transparent external audits in DFIs/FIs.
At the outset, I would like to mention that there are some key design observations regarding internal audits and action points for the benefit of central banks worldwide, who often perform the dual roles of regulation and supervision (especially in relation to systemically important DFIs/FIs).
First, as any central banker would agree, internal auditors play a critical role in any DFI/FI. The primary role of internal auditors therefore would have to be to independently and objectively review and evaluate an DFI’s/FI’s activities to maintain or improve the efficiency and effectiveness of risk management, internal controls, and corporate governance. And they can do this by:
- Evaluating the reliability, adequacy, and effectiveness of accounting, operating, and administrative controls.
- Ensuring that DFI/FI internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets.
- Determining whether a DFI/FI complies with laws and regulations and adheres to established policies.
- Determining whether management is taking the appropriate steps to address current and prior control deficiencies and their previous audit report recommendations.
For this, as central bankers would acknowledge, internal auditors must understand a DFI’s/FI’s strategic direction, objectives, products, services, and processes, as well as clients, to conduct these activities and make an objective judgment on the above. The auditors then communicate their findings to the board of directors or its audit committee, who will thereafter brief and discuss with senior management.
In addition, as central bankers would concur, internal auditors often have a role in transformation activities. This role may include duties such as helping the board and management evaluate safeguards and controls, including appropriate documentation and audit trails, during the transformation process at the DFI/FI—this is a critical issue as many DFIs/FIs transform, in some sense or another, to keep up with the highly dynamic nature of the financial services industry.
While the point that DFIs/FIs should conduct their internal audit activities according to existing professional standards and guidance is well taken, exactly how the internal audit function is organized depends on the DFI’s/FI’s size, complexity, scope of activities, and risk profile, as well as the responsibilities assigned to the internal auditor by the board of directors.
In larger DFIs/FIs, a chief auditor and a full-time internal audit staff may accomplish the internal audit function. In other FIs, the internal audit function may be accomplished by one or two employees or a holding company or even by an outside vendor. In many small FIs, the officer or employee designated as a part-time auditor may also have operational responsibilities. In any case, to maintain absolute independence, central banks should ensure that the person responsible for accomplishing the internal audit function is independent of whatever area is being audited and reports her (or his) findings directly to the board and/or its audit committee.
Central banks should also mandate that the audit committee should position the internal audit function in the institution’s organizational structure so that the function will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations. The ideal organizational arrangement is having the internal audit function report directly and solely to the audit committee regarding both internal audit issues and administrative matters, for example, resources, budget, and compensation.
Some DFIs/FIs place the manager of internal audit under a dual reporting arrangement: functionally accountable to the audit committee for matters such as the design of audit plans and the review of audit scope and audit findings, while reporting to a senior executive on administrative matters. Such an arrangement potentially limits the internal audit manager’s independence and objectivity when auditing the senior executive’s lines of business. Therefore, central banks should ensure that this does not happen at DFIs/FIs under their regulation and supervision. Thus, the chief financial officer, controller, or other similar positions should be excluded from overseeing the internal audit activities even in a dual role. In structuring the reporting hierarchy for the internal audit function, central banks must mandate the audit committee to always recognize this risk of diminished independence against the benefit of reduced administrative burden in adopting a dual reporting organizational structure.
Central banks must therefore make it mandatory for boards of DFIs/FIs to ensure that the internal audit departmental head reports either directly to the entire board or audit board sub-committee to ensure that all potential and real conflicts of interests are negated. In reality, central banks should ensure that the board alone is responsible for delegating the authority necessary to effectively allow internal auditors to perform their job. Thus, internal auditors must have the power to act on their own initiative in all departments, functions, and units in the DFI/FI; to communicate directly with any DFI/FI personnel; and to gain access to all records, files, or data necessary for the proper conduct of the audit. Clear communication between the board, the internal auditors, and management is critical to the timely identification and correction of weaknesses in internal controls and operations, and this again needs to be specified by central banks to all DFIs/FIs under their jurisdiction.
To summarize, internal and external auditors play a fundamental role in ensuring the integrity of the various systems at a DFI and/or FI and also vouching for its true and transparent financial condition. These tasks become all the more important in the present COVID-19 situation where financial systems are under duress and face serious threats to financial stability.
As well-planned and appropriately structured internal and external audits are vital to effective risk management at a DFI and/or FI and they also serve as a critical defense against fraud, central banks must ensure that there is no gap between intended and implemented strategies with regard to the internal and external audit functions in all FIs that they regulate and supervise.
In addition, together, internal and external audits provide crucial information to the board of directors about the effectiveness of internal accounting control and financial reporting systems, crucial to understanding the true and transparent financial condition of the DFI/FI. Therefore, central banks must ensure that in all DFIs/FIs they regulate and supervise, internal and external auditors are given the necessary authority, independence, and skills/knowledge to effectively perform their crucial tasks.
While regulatory fiat should ensure that such audits are to be performed by independent and competent staff who are objective in evaluating the DFI’s/FI’s control environment and also its true financial condition, it is effective (online) off-site supervision that can ensure that it happens in real time.
As the regulator and supervisor, central banks, should also guarantee that, together, internal and external audits provide: a) objective, independent reviews and evaluations of a DFI and/or FI’s activities, internal controls, and information systems; b) adequate documentation of various tests, findings, and corrective actions, if any; c) assistance in improving the effectiveness, efficiency, and adaptability of the DFI’s/FI’s risk management processes, controls, and corporate governance; d) reasonable assurance about the accuracy and timeliness with which transactions are reported and recorded and the accuracy, reliability, validity, and completeness of financial statements and regulatory (compliance) reports; and e) validation and review of management actions to address material weaknesses (if any).
Again, as noted above, while regulation can stipulate any number of specific aspects that DFIs/FIs would need to ensure regarding internal and external audits, the key is getting this implemented in real time. For this, central banks must rely on its off-site (online) supervisors (or examiners) to check the veracity and authenticity of internal and external audits at the DFI/FI during their supervisory activities. In the present COVID-19 era, where physical (social) distancing and other measures are still prevalent, the use of RegTech by central banks could go a long way in ensuring that the off-site (online) supervision is effective in real time.
Any exceptions to the regulatory norm must be suitably dealt with by way of immediate punitive action by central banks on the DFI/FI concerned as well as its internal and external auditors. Only this can mitigate (if not eliminate) the occurrence of frauds and scams in real time in systemically important DFIs and FIs and thereby provide the much needed financial stability, accountability, and inclusiveness to the larger financial ecosystem, which in many ways, symbolizes the heart of the economy—a stable, inclusive, and accountable financial sector in many countries will go a long way in ushering in an era of all-round shared prosperity, where poverty and inequality are hopefully mitigated, if not completely eliminated. This is all the more essential now given the kind of devastation that COVID-19 has wreaked on economies around the world.
 RAMESH SRIVATSAVA ARUNACHALAM is a board member of the Financial Inclusion Advocacy Centre (FIAC), Ghana and UK. He is also a partner in ASCENSION ADVISORY (India), under incorporation. He is the author of 14 critically acclaimed books. Ramesh also provides strategic advice on a wide variety of Financial Sector, Financial Inclusion and Economic Development issues. He has worked in over 314 assignments with multi-laterals, governments, private sector, Banks, NBFCs, DFIs, regulators, supervisors, MFIs and other stakeholders in 31 countries across 5 continents and 680 districts of India during the last 31 years. He can be contacted at [email protected] and +919962815615.