Financial institutions are subject to an increasingly complex web of laws and regulations that affect operations. New dedicated teams are created internally to deliver assurance to management and board of directors, or at least comfort them over the risk and compliance profile of the institutions.
These new dedicated control functions are, in many aspects, similar to the internal audit function. After having introduced the well-known ‘three lines of defence’ approach, this article presents to directors a method to challenge the possible overlap between the compliance monitoring and internal audit functions.
Governance arrangements in financial institutions
In most jurisdictions, laws and regulations require financial institutions to have robust internal governance arrangements. Proper governance arrangements imply that the board of directors has a clear understanding of the institution’s situation. The board should therefore receive information in a timely, complete, understandable and accurate manner so that it is equipped to make informed decisions.
In order to assist the directors in discharging their duties, since the implementation of Basel II, common industry practice for sound governance often relies on three lines of defence – business line management (first line of defence), independent advisory and monitoring functions (second line of defence, such as compliance, risk management, IT security and data governance) and the internal audit function (third line of defence). This three lines of defence approach, which is now typical within credit institutions and investment firms, is being adopted by insurance companies because of the ongoing implementation of Solvency II worldwide.
The directors, the persons responsible for the management of the institution and the persons in charge of the second and third lines of defence are sometimes referred to as the ‘key functions’. That is, the functions which exercise significant influence on the conduct or monitoring of activities. Among the three lines of defence, the internal audit function provides independent, objective and critical assurance over the first two lines of defence.
Internal audit as the third line of defence
As the third line of defence, internal audit is subject to strong requirements in term of professional qualifications, competencies, experience, resources, independence and quality-control processes. It plays a particular role within financial institutions. Indeed, internal audit is one of the few functions to have a global view over all functions. This may be due to the fact that, in order to assist the executive management and the board of directors, the internal audit function is usually required by laws and regulations to assess:
- Compliance with the laws and regulations as well as the prudential requirements (e.g. Basel II/III and Solvency II)
- Internal control’s efficiency and effectiveness
- Adequacy of the administrative, accounting and IT organisation
- Safeguarding of the securities and assets
- Adequacy of the segregation of duties and of the execution of transactions
- Accurate and complete registration of the transactions and the provision of accurate, complete, relevant and understandable information available without delay to the board of directors, specialised committees and, where appropriate, the management and the authorities
- Implementation of the decisions taken by the management and by the persons acting by delegation and under its responsibility
- Compliance with the procedures governing the adequacy of the regulatory and internal own funds (capital) and liquidity (reserves)
- Adequacy of the risk management framework and activities
- Operation and effectiveness of the compliance and risk control functions
Especially in Europe, within financial institutions, internal audit traditionally delivers advisory and assurance on matters known today as the second line of defence. Internal audit departments have therefore built up strong expertise in compliance, risk management or IT security. This may explain why internal auditors are often perceived as the de facto experts on these matters. For instance, internal audit may assist the board of directors in determining whether the institution’s second line of defence has the necessary and sufficient human resources, infrastructure and budgets (taking into consideration the nature, scale and complexity of the activities of the institutions). Internal audit may also provide assurance over the reliability and accuracy of the reports received by the board of directors from the second line of defence.
Internal audit and the second line of defence: the case of the compliance monitoring teams
The second and third lines of defence are sometimes called the internal control functions. Directors must determine that the internal control functions verify that the internal policies (but also the organisational structure and activities) and procedures are in line with applicable legal and regulatory requirements.
For that purpose, the board of directors should approve the policies which describe the fields of intervention of each internal control function and clearly define the responsibilities for the common fields of intervention of the internal control functions.
The board of directors should be aware of possible duplication of works and measures to remedy these situations. For instance, in some financial institutions, compliance monitoring teams (CM teams) are set up because of the increasing complexity of the regulations.
The approach adopted by CM teams is often very similar to the ones adopted by internal audit departments. They oversee business activities in accordance with a risk-based annual compliance monitoring plan. Their engagements are carried out by following the same milestones as internal auditors: planning, testing, report writing, recommendation follow-up and record-keeping.
These CM teams (commonly reporting into the chief compliance officer) are usually in charge of providing independent advice and assurance over compliance-related activities, such as anti-money laundering/combating terrorism financing, anti-bribery and corruption, data protection, financial products distribution, or new products and services. These are topics that internal auditors must review as required by financial laws and regulations. In this kind of situation, directors should ensure that the split of work is clear and efficient.
“Internal audit and the compliance monitoring teams must be understood as pertaining to the same ecosystem. Both functions are not in contradiction”
Internal audit using the work performed by the CM teams
CM teams may be considered as experts on compliance matters. The Information Systems Audit and Control Association’s (ISACA) information systems audit and assurance standards provide relevant resources to assist internal auditors in this case. As such, internal auditors should assess the adequacy of the CM teams’ professional qualifications, competencies, experience, resources, independence and quality-control processes prior to the engagement.
Internal auditors may need to apply additional test procedures to gain sufficient and appropriate evidence in circumstances where the work of the CM teams does not provide sufficient and appropriate evidence (with respect to the audit objective at stake). Furthermore, internal auditors should determine whether the work of CM teams will be relied upon and incorporated directly or referred to separately in the report.
The trick is…
Internal audit and the compliance monitoring teams must be understood as pertaining to the same ecosystem. On one hand, laws and regulations usually set out internal audit objectives. On the other hand, compliance monitoring teams consist of compliance experts who can assist the board of directors and management in their monitoring and assessment of compliance matters. Both functions are not in contradiction. For instance, internal audit may step in to support the independence of the CM teams in case of conflicts. Alternatively, the other way around, CM teams may become one of the reference points on compliance matters for internal audit. It can be reasonably expected that, over time, internal auditors will place more and more reliance upon the work of the CM teams. In all cases, mutual discussion should be sought for the mutual benefit of the institution, the customers and other stakeholders.
About The Author:
Patrick teaches regulatory compliance and deontology at the University of Lorraine (France). Patrick is also an internal auditor for a financial institution based in Luxembourg. As Internal Auditor, Patrick supports Executive Management and the Board by delivering assurance over operations and controls (including critical outsourced functions). Among other tasks, Patrick reviews organisations, projects, departments and reports/plans against good practices and/or current/upcoming regulatory requirements (e.g. AB&C, AIFMD, AML/CFT, Data Protection, EMIR, MAD, MiFID, UCITS V,). Prior to that, Patrick was a consultant at KPMG. He is an economist by training holding a masters degree from the University of Delaware (US) and another one from the University of Lyon II (France).
FOOTNOTES: 1 See, in particular the following Basel Committee publications for details. The internal audit function in banks, June 2012; Principles for enhancing corporate governance, October 2010; Compliance and the compliance function in banks, April 2005. 2 This list is extracted from the Luxembourg CSSF Circular 12/552: Central administration, internal governance and risk management. 3 See, standard ‘1206 Using the Work of Other Experts’ and guideline ‘2206 Using the Work of Other Experts’.