Internal Audit Function
in Large Financial Institutions
An International Benchmarking Survey
December 2013
Under this project, conducted by IIA Spain, leading banks of a similar large size around the world were invited to participate in a survey on how they deploy their internal audit functions
There were eleven respondents: Banco Santander, Barclays, BBVA, BNP PARIBAS, HSBC, ING Bank, Intesa Sanpaolo SpA, Nordea Bank AB, Société Générale, The Bank of Tokyo Mitsubishi UFJ, Ltd. and UniCredit SpA
The project evaluated the following :
• Thestructureof internal audit functions.
• Human Resources policies for internal audit (rotation, training and skills).
• Current and future strategic risks.
• Internal audit methodologies (universe, Risk Assessment and planning).
• The execution of audits (branches, fraud analysis and continuous auditing).
• Consultancy assignments.
The study
Number of internal auditors and total staff of the company, organization and internal structure.
The average ratio of the IA staff to total employees is 0.67%.
All respondents organize their Internal Audit departments/areas by type of
business. Some also include geographical criteria and types of organizational risk (82% and 27% respondents, respectively).
Main conclusions - structure of the IA function (1/8)
0,35% 0,36% 0,44% 0,50% 0,53% 0,54% 0,58%
0,67% 0,75%
0,97% 1,04%
1,32%
0,00%
0,20%
0,40%
0,60%
0,80%
1,00%
1,20%
1,40%
1 2 3 4 5 6 7 Average 8 9 10 11
ENTITIES
Internal Auditors/ Staff Size
Organizational internal structure
Those who have a decentralized model assign between 7% and 50% of their staff to corporate functions.
Main conclusions - Structure of the Internal Audit function (2/8)
45% 55%
INTERNAL AUDIT FUNCTION CENTRALIZED OR DECENTRALIZED STRUCTURE
Decentralized model Centralized structure
50
20 20 7
23
30
0 10 20 30 40 50 60
1 2 3 4 5 6
%
% OF THE STAFF BASED AT THE CORPORATE/HQ FUNCTIONS
55% have specific programs for the internal and external rotation of auditors.
The annual training hours per auditor ranges from 15 to 80, averaging 52.
The majority (55%) have established a specific policy for achieving professional qualifications. 40%(1) of the entities include this policy within career plans.
Main conclusions – Human Resources policies (3/8)
80
70 68
65
56 52
49
40 40 40
15
0 10 20 30 40 50 60 70 80 90
The average percentage of internal auditors with professional qualifications is 40%.
Main conclusions - Human Resources policies (4/8)
95%
77%
52% 50%
40% 40%
13% 13%
10% 10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Main conclusions - Human Resources policies (5/8)
0 1 2 3 4 5 6 7 8 9
Communication Analytical and critical mindset Understanding of organization’s strategy and business model Act as a change agent Analysis and data retrieval Knowledge of audit standards Sector specific knowledge Teamwork Cibersecurity and privacity Continuous improvement mindset Flexibility/adaptability Leadership
The most relevant skills in the medium and long-term for internal
auditors
How internal audit’s focus on risks is likely to change over the next 3 years.
Main conclusions - current and future risks (6/8)
Strategic, reputational and conduct risks are expected to experience a significant increase in the next three years
Information Technology Security and Data privacy Anti-Money Laundering Credit and Counterparty Risk Operational Risks Other regulation and government policies Conduct Risk Fraud & Ethics Reputational Risk Capital requirements Liquidity Risk Accounting Risk, SOX and financial reporting controls Legal Risk (including taxation) Market and Structural Risk New product introductions Strategic Risk Other Risks Merger, acquisitions and JVs
Current and future Risks
Next 3 years Currently
Construction of the audit universe.
In general, the banks built their audit universe on the basis of business, processes and risks, as well as legal and auditable entities.
46% of the entities review the audit universe annually. The rest do this more frequently (36% every 3 months and 18% every 6 months).
Risk Assessment: frequency of updates, type of risks considered and discussion with other bank functions.
The majority of respondents (55%) update their Risk Assessment annually. The rest update it more frequently (27% every 3 months and 18% every 6 months.
The risks taken most frequently into account for their Risk Assessment are:
regulatory/compliance, market, credit, operational and technological.
In 82% of the cases the Risk Assessment is discussed with other bank functions.
Main conclusions - methodology (7/8)
Internal Audit plan: frequency of updates and revision, and time horizon.
All respondents have a risk-based audit plan.
46% update their audit plan annually. The majority do this (54%) more frequently (27% every 3 months and 27% every 6 months).
Half review their audit plan annually. The other half does so more frequently (30% every 6 months and 20% every 3 months).
Nearly two thirds (64%) have audit plans that run for 12 months. The rest cover periods of 24 and 60 months.
Audits on branches and fraud analysis.
73% carry out branch audits and fraud analysis.
Continuous auditing
55% of respondents carry out continuous audits mainly focused on branches.
80% use massive data processing tools in audit work Consultancy assignments.
The majority of respondents (82%) do not perform consulting.