The financial crisis of 2008 threw the marketplace into a whirlwind of uncertainty and confusion. Financial services regulators and other standards-setting entities reacted with panic. Since then, we’ve seen an avalanche of mandates aimed at enforcing corporate sustainability to protect shareholders. The role of the internal audit has taken center stage, and standards have never been higher. Heightened standards are addressing the shortcomings of past internal audit functions. As corporations navigate their way through the maze of new regulations, the changes should reflect an overall improvement in the relevance, capability and impact of the internal audit, which should net a better financial system overall.
New regulations, along with increased shareholder expectations, will mean greater board involvement surrounding the three lines of defense.
Regulations Increasing Globally Place Focus on Internal Audits
Across the globe, the financial industry is increasing regulations to hold corporations more accountable. Governments at the country level are also continually evaluating laws in search of the best-developed structures.
The European Commission has introduced significant pieces of legislation such as the Markets in Financial Instruments Directive II, Insurance Distribution Directive, Solvency II and Basel III that support the three lines of defense.
The G20 Summit, which includes central banks and regulators, outlined their expectations for board director responsibility in their Financial Stability Papers, including the Thematic Review on Risk Governance. The group agrees that internal audits that are independent from business units and risk management control functions will help boards in assessing whether the risk governance framework, internal controls and oversight are working as expected.
Regulatory Changes Bring Challenges
Smaller corporations are finding that they can accommodate the new regulations fairly reasonably; however, the increased cost of compliance is making a significant dent in their operations.
Larger financial institutions and insurance companies are finding compliance substantially more challenging. Mid- and large-cap companies hope to meet compliance mandates by strengthening internal policies. They are also finding value in establishing board-level committees and giving them clear mandates. Larger financial institutions are more likely to employ Chief Risk Officers (CROs) and other specialists such as risk management specialists, compliance officers, internal control specialists., and fraud investigators to assist the board with risk management and monitoring.
To be truly effective, corporations large and small need to embed the new roles and functions across the entity and view them as a strategic asset rather than point-by-point compliance solutions. True compliance requires integrating financial, operating, risk and regulatory requirements.
The Role of the Internal Audit
The internal audit falls within the third line of defense, and it plays a key role within the governance framework. The audit should provide assurance that the first two lines of defense—risk management and internal controls—are effective. The audit committee and the board provide the final sets of eyes for review.
It seems that executives are not convinced that internal audits have the level of impact that regulators and lawmakers hoped. A 2016 Deloitte Survey of Chief Audit Executives reported that only 28% of executives perceive that their audit functions greatly impact the organization. About 16% of executives opined that the internal audit had little or no influence on improving corporate governance.
Making the Internal Audit Work Effectively
After management control, the second and third lines of defense are risk management and independent assurance. An independent internal audit supports risk management. Having synergy between the two makes each of them stronger than if they worked separately. The synergy between them is a key component of good corporate governance.
While synergy of the second and third defenses are critical to effective governance, boards face a distinct challenge in keeping them synergized. As organizations grow and develop, how will these two functions change? Will they change at the same rates and in the right ways to keep them working together effectively?
IT departments are starting to play a role in increasing effectiveness for both lines of defense. The General Data Protection Directive (GDPR) already requires all financial services firms to employ a team of individuals that have expertise in risk and internal auditing as they pertain to operations and IT risks and controls. The role of IT will need to adapt and change along with organizational growth and development.
Three Issues Drive Risk Management and Internal Audit Effectiveness
Managers and board directors will need to work together to evaluate the impact of the internal audit process. The key areas they will need to look at are the reform of risk governance, the impact of continuing regulatory reform and the evolution of new business models.
The intent of risk reform is to improve the institutional framework. Board directors and managers will need to continually assess its impact on the internal audit to make sure that the audit reflects pertinent data. We are only on the cusp of reform, which will take several more years, at a minimum. Along the way, board directors will need to be cautious about the risk of corrupting the three lines of defense model.
Regulatory reform will be ongoing for some time, which means that there will be continued emphasis on the effectiveness of ratios, governance, systems and controls. Reform will also continue to focus on independence and vigilance. In addition, conduct and culture will continue to be notable factors in regulatory reform.
Business models will continue to evolve as regulatory reform changes. What won’t change is that shareholders will continue to press for returns that are acceptable and sustainable, while meeting or exceeding supervisory and compliance requirements.
Board directors will need to work intrinsically with senior managers as they assign specific roles and coordinate functions for risk management and the internal audit to alleviate unnecessary gaps and overlaps.
Fluid Changes Require Board Members to Take a Flexible Approach to Internal Audits
The financial markets are seeing more change than they’ve seen in past decades. Board directors are aware that more is to come. They also know that to sustain quality corporate governance, they will need to approach it cautiously and comprehensively so that they can continue to identify threats and control internal weaknesses. Hopefully, in the future, new and enhanced business models will develop to set improved standards.