The internal audit function is the third line of defense. The internal audit function’s primary role is to independently and objectively review and evaluate bank activities. This role helps to maintain and improve the efficiency and effectiveness of the bank’s risk management system, internal controls systems, and corporate governance. The internal audit function should monitor the bank’s internal controls systems by
- Evaluating the reliability, adequacy, and effectiveness of internal controls that promote the safety and soundness of the bank, whether operated by the bank or a third party.
- Ensuring that bank internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets.
- Determining whether the bank complies with laws and regulations and adheres to established bank policies, procedures, and processes.
- Determining whether management is taking appropriate and timely steps to address control deficiencies and audit report recommendations.
- ensuring that audit activities are performed by qualified persons.55
To conduct these activities effectively, the internal audit function should have ongoing communication with its stakeholders. Internal auditors should be aware of and understand the bank’s strategic direction, objectives, products, services, and processes, as well as relevant laws and regulations. The auditors communicate findings to the bank board or its audit committee and senior management. The chief auditor should develop an ongoing communication process with management to keep current on changing business and risk issues.
The main aim of internal auditing is to assist the organization to achieve its objectives. So if the organization’s objective is to ‘add shareholder value’ then that is the aim of internal auditing. If it is to ‘Relieve famine in central Africa’, then that is what internal auditors should be doing. Seems obvious, but it’s worth making the point that internal auditing is not special. It should be able to justify its existence just like any other process in the organization.
There is an assumption, hopefully justified, that the objectives of any organization would include the requirement to obey applicable laws and regulations. So how do internal auditors justify their salary? Let’s go back to the objectives of the organization. The achievement of these objectives is hindered by risks which should be managed below the risk appetite by internal controls.
Monitor Compliance – Internal auditors assess the organization’s compliance with applicable laws, regulations, and contracts to ensure that management is addressing these requirements adequately. They also offer insight into the impact that noncompliance would have on an organization and inform senior management and the board of noncompliance.
Assure Safeguards – The organization’s tangible property, human resources, and intellectual property are valuable and must be guarded against potential damage. Internal auditors evaluate the procedures used to safeguard assets from theft, fire, illegal activities, or other types of loss. They bring deficiencies to light and make recommendations for enhanced protection.
Investigate Fraud – Because fraud can affect any level of the organization, it’s important that the board of directors grants the internal audit function access to all records and authority to conduct audits and investigate possible fraudulent behavior throughout the organization.
Risk management – is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of the board. Enterprise-wide risk management brings many benefits as a result of its structured, consistent and coordinated approach. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management. When internal auditing extends its activities beyond this core role, it should apply certain safeguards, including treating the engagements as consulting services and, therefore, applying all relevant Standards. In this way, internal auditing will protect its independence and the objectivity of its assurance services. Within these constraints, ERM can help raise the profile and increase the effectiveness of internal auditing.