“Internal audit teams should be in a position to express their views at any stage”

Successful internal auditors preserve and create value amidst a changing banking landscape. However, says Kristy Ballah, Head of Audit at AfrAsia Bank, value creation is achievable when the internal audit team can develop additional synergy with other controls functions of the organization, communication and sharing. Over the years, they had a general tendency to refrain from giving insights and challenge management on projects or major decisions.

What are the regulator’s expectations of the internal audit function?

They are high expectations which include providing independent assurance to the board and senior management on whether (i) the internal control system in place is performing effectively and is adequate to mitigate risks consistent with the risk appetite of the financial institution, (ii) the organizational goals are met and corporate governance processes are effective and efficient.To achieve this, competent people have to be recruited and given the cost involved, internal auditors should play a vital role in the process of value preservation and creation.

What are the main elements that are changing the banking landscape?

Some emerging factors are heavily impacting the banking landscape posing considerable challenges to banks. For instance, the needs of customers have evolved and are becoming more complex and sophisticated which require banks to leverage to a much bigger extent on Fintech. Open banking which is making way for more competition and cloud computing are other essential elements that considerably impact international banking on the technology front.Cost of compliance has risen significantly across the globe. The attempt to improve AML-CFT programs after several reputable banks have been heavily fined by regulators in recent years for non-conformity with AML-CFT requirements and higher regulations coming into play since the financial crisis are the main reasons. Cybercrime and societal pressure for more responsible banking that align the bank’s strategy to society goals are also among the most topical items.As a result, banks are having to frequently revise their strategic orientations which impacts the internal auditor’s agenda. The traditional control focused approach has to change to meet the broader expectations of key stakeholders.

How can the internal auditor preserve value in this context?

First of all, he shall be more than ever strategy-oriented and have a sound knowledge of the organization’s and departmental objectives. This enables a more holistic view which is helpful in formulating recommendations on the alignment of people, systems, structure and processes with the business strategy and values of the organization. A more stringent methodology and structured approach shall be adopted to produce the risk-based internal audit plan so that areas necessitating most audit efforts are identified upfront and prioritized. The financial implication of the process to be audited, the corresponding volume of transactions, whether regulatory requirements are applicable and whether changes have occurred in management, structure and systems are among the factors that should compulsorily be taken into account and critically rated. The plan shall also take into account elements from the bank’s risk register and remain dynamic so that changes in the year can be adequately reflected. Moreover, the internal auditor shall not only satisfy himself that a control is being performed or process is followed as was done traditionally. He has room and also a duty to propose ways to reduce the cost of control performance highlighting duplications and complexity that could be eliminated or recommending automation after undertaking relevant cost benefit analysis having regard to the portfolio of controls. To a greater extent, internal audit teams should recommend investments in digital assets so that the lion share of core assurance becomes automated, hence the monitoring of controls and flagging of non-conformance will be done real time. Value preservation is therefore achievable but the internal auditor must go the extra mile and explore the possibility of value creation.

Is there any room for value creation?

Value creation is achievable provided the internal audit team can develop additional synergy with other controls functions of the bank such as Risk and Compliance, through enhanced communication, sharing of work plans and joint assignments where relevant. Without this initiative, there will be no consolidated bank-wide view of governance issues and risk and mitigation will not be effective since risk identification, measurement and monitoring will be influenced by departmental objectives without paying attention to the bigger picture. Having a better synergy among the control functions will also encourage more risk anticipation whereby the key players will use their professional judgment and analytics to identify emerging risks in a timelier manner.Internal auditors can dare which will create opportunities to add value. Over the years, they had a general tendency to refrain from giving insights and challenge management on projects or major decisions fearing this may conflict and cause independence issues when they will audit same at a later stage. Internal audit teams should be in a position to express their views at any stage provided same can be supported by facts and spot on examples from past experience. The internal audit team can be involved earlier on projects as this results in numerous benefits to the organization considering that better project governance will be encouraged from the outset and corrective actions can be taken before resources are consumed. The merits will be bigger when the organization is not very mature in the delivery of major projects and is about to embark on an internal transformation exercise such as digitalization. There are other tasks that can contribute to adding value. For instance, internal auditors can assign an even bigger priority to high fraud risk areas in audit planning and also ensure the designated audit process comprise more forensic techniques though fraud management is not the internal auditor’s primary duty. The internal audit team can also, amongst others, assist management in undertaking follow ups on the implementation of the external auditor’s management letter or regulators’ inspection report and provide independent periodic updates to management.

Which attributes shall the internal auditor display in this disruptive banking environment?

The internal auditor shall be highly agile. He needs to display open mindedness and skepticism, be courageous to speak the truth to power and be future oriented in the attempt to anticipate risks and take mitigating action. The internal auditor must also constantly upskill/reskill in this technology era to supplement available business skills and acumen. The internal audit team must be visible and find means to communicate and market any value add they are bringing, using quantification wherever possible. This will boost relationships with key stakeholders and act as justification that the internal auditor is a Trusted Advisor who deserves a seat at the table. To conclude, the extent to which the internal auditor can readapt his agenda in the light of the disruptive banking environment and implement it will determine how successful he is.