What Makes A Competent Financial Services Internal Auditor?
This is a question I am frequently asked.
What is clear is that many financial services institutions have either not identified the answer to this question nor taken meaningful steps to put in place a framework that ensures they employ fully competent internal auditors.
I would like to outline the essential facets of competence in this arena. How does your internal audit function compare?
The Philosophy of Internal Auditing
Firstly it is important that your team members understand the fundamental purpose of internal auditing. “Providing assurance” is a frequently used expression but what exactly does it means?
Does the department exist to provide an opinion on the control framework in relation to risk management or perhaps acts as a change agent with a mandate to act to improve controls in its capacity as third line of defence?
The Methodology
This is one area that most large audit functions teach very well – the fundamental audit methodology employed by the department.
Hopefully your own methodology will include the following components:-
- The macro planning dimensions;
- How to effectively plan an audit assignment
- How to examine control design
- Gauging whether a control process is working effectively or not
- How to write a meaningful internal audit report
Does your methodology have any other components?
The Principles of Good Control
Do your staff understand the principles of good control?
Some pressure points that are worthy of consideration:-
- The meaning of segregation of duties;
- What is dual control
- The difference and appropriateness of the following control types:-
- Preventative
- Detective
- Deterrent directive
- Forms of authorization and approval mechanisms
- Supervision
Some audit functions will teach this theme using the COSO framework. Does this work for you?
Corporate Governance
The corporate governance framework within which an internal control mechanism operates is clearly critical.
Does your staff understand what the key components of this framework should look like including:-
- The role of the board and governing body
- The role of the various board committees
- Non executive responsibilities versus executive roles
- The meaning of the notion of “three lines of defence”.
The Fundamentals of Risk Management
So far all we have covered are the basics of internal auditing and control but what about the risk management fundamentals of financial services.
Does your staff understand what the different risk classes in our sector look like? By this I mean:-
- Credit risk;
- Market risk;
- The different forms of operational risk;
- Insurance risk for insurance firms.
Can your team describe examples of the different forms of risk in relation to your company’s product offering?
The Basics of Regulation
Given the importance of regulation does your department understand the following dimensions:-
- The core principles of effective regulatory compliance?
- Which products are regulated?
- How your regulator articulates rules and principles?
- How your regulator enforces these rules and requirements?
- The consequences of non-compliance?
Technology
We see a polarization between business auditors and technology auditors.
Is this fully appropriate?
Whilst I strongly believe that all technology auditors should possess the baseline knowledge outlined above, I also believe all business auditors should have an understanding of the following technology themes:-
- IT governance
- Access controls
- Software development controls
- Data accuracy, completeness and maintenance
- Cyber security
- Processing interfaces.
What Next?
If you believe all of your team possesses this baseline level of knowledge then please complement yourselves. Congratulations – you really take training seriously.
If you believe there are gaps then perhaps it is time to address this competence challenge.