The Development of Internal Audit Departments at Banks

The Development of Internal Audit Departments

at Banks

Has corporate governance led to a better fit between internal and

external auditors?

The Development of Internal Audit Departments at Banks Page 2

The Development of IAD at Banks

In what way have new corporate governance regulations led to a

change at IADs at banks change how did this affect the relationship of

the IAD of banks with the external auditor?

-

Master Thesis-

Heerde, August 2011

By:

Jos Dijkhof

Student number: 1483595

Supervisor: prof. dr. D.M. Swagerman Co-assessor: dr. B.J.W. Pennink

The Development of Internal Audit Departments at Banks Page 3 PREFACE

To finish my Msc in Organizational and management Control at the university of Groningen my thesis was about Internal Audit Departments at banks. The reason why this subject interested me was because the internal auditor and the external auditor have the similar jobs. Only, the internal auditor has a broader scope of interest. It was interesting to see the interaction between them and what was done to prevent work being duplicated.

I could not have finished my thesis without the help of several persons who I would like to thank. Firstly, I would like to thank Johan Scheffe of the NIVRA who pointed out the latest banking developments to focus on. This was a great incentive for me to start working on my thesis. Also I would like to thank Hans Nieuwlands from the Institute for Internal Auditors helped me in contacting employees of Internal Audit Departments of several banks. With his network I could contact the IAD of banks very easily. I am also grateful for the information the interviewees provided and for the time they took. These were Keimpe Kloosterman (Friesland bank), Harrie de Poot (Rabobank), Bas van Meegeren (BinckBank),Marco Rijlaarsdam, Willem buijs (both ING) and Dirk-Willem Huizing (SNSbank) feedback to come to a good result. And I want to thank Hans Moison (Ernst & Young) who could provide me assurance about the vision of the external auditor on the topic of the research.

And finally I would like to thank my supervisor Dirk Swagerman who guided me throughout the process of writing the thesis.

Heerde, August 2011

The Development of Internal Audit Departments at Banks Page 4 SUMMARY

This thesis investigates whether the role of the IAD (Internal Audit Department) has altered in recent times because of changing Dutch corporate governance regulations. Furthermore, the effect of this on cooperation with the external auditor is investigated. This investigation is captured in the central research question: In what way have new corporate governance regulations led to a change at IADs at banks change how did this affect the relationship of the IAD of banks with the external auditor?

It is suggested that the IADs from the participating banks in this research have indeed changed significantly. Most of them have been working with a new auditing tool for a few years. Furthermore, the research reports and audit structure are clearer and more explicit. In the past certain audit performances were more informal and less explicit. These changes have been made because of corporate governance regulations and the supervisory board that wants more transparency. The relationship with the external auditor has not really changed. In the planning phase the interaction has increased. In all other audit related aspects interaction has remained the same. It has intensified but not significantly.

The theory shows that the role of the IAD is becoming more and more important. This also has an effect on the guidelines for cooperation between external and internal auditors. Furthermore the theory shows that the IAD certainly has value for the bank to prevent or to mitigate problems. It has a consultant role on the supervisory board to inform them objectively because of their independent position within the bank.

The study was performed by interviewing six internal auditors from five banks. This gave a clear overview of the developments of the IAD and whether these changes were the result of corporate governance regulations and if the cooperation with the external auditor increased. To find out the opinion of the external auditor a questionnaire was sent to an external auditor who gave extensive answers to the questions.

The Development of Internal Audit Departments at Banks Page 5 TABLE OF CONTENTS Summary 4 Abbreviations 9 1. Introduction 10 1.1 Background 10 1.2 Research question 12

1.3 Structure of the report 12

2. Theory 13

2.1 The Internal Audit Department (IAD) 13

2.1.1 The roots of the IAD 13

2.1.2 Definitions 13

2.1.3 The work performed by an IAD 14

2.2 Corporate governance 16

2.3 Actors in governance 18

2.3.1 Executive board 18

2.3.2 Supervisory board and audit commission 18

2.3.3 External auditor 18

2.3.4 Line management 19

2.3.5 Other assurance-functions 19

2.3.6 External Supervisors 19

2.4 The value of an IAD 20

2.4.1 Increasing value 20

2.4.2 Conclusion 21

2.5 The role of IAD in the bankruptcy of two banks 22

2.5.1 DSB (Dirk Scheringa Bank) 22

2.5.2 Van der Hoop Bankiers 23

The Development of Internal Audit Departments at Banks Page 6

2.6 Regulations Influencing the IAD 24

2.6.1 The Dutch Corporate Governance Code (2003) 24

2.6.2 The changed Corporate Governance Code (2009 - present 25

2.6.3 SOX (Sarbanes-Oxley act, 2002) 26

2.6.4 Basel principles 26

2.6.5 ROB (2001-2007) 27

2.6.6 Wft (2007-present) 27

2.6.7 The banking code (2010 – present) 28

2.6.8 Conclusion 29

2.7 The reliance standards used by the external auditor 30

2.7.1 NV COS 610 30

2.7.2 Practice guideline 1110 31

2.7.3 SAS 65 31

2.7.4 IIA (standard 2050) 32

2.7.5 Conclusion 33

2.8 Elements of a strong IAD 34

2.8.1 Commitment 34

2.8.2 Internal Audit Charter 34

2.8.3 Methodology 35

2.8.4 People 35

2.8.5 Objectivity and Independence 36

2.8.6 Conclusion 36

2.9 Outsouring an IAD 37

2.9.1 Regulations 37

2.9.2 Main reason for outsourcing 37

2.9.3 Influence on external auditor 38

The Development of Internal Audit Departments at Banks Page 7 3. Research Method 39 3.1 Case study 39 3.2 Interviews 40 3.3 Questionnaire 40 3.4 Framework 41 3.4.1 Control environment 41 3.4.2 Risk assessment 41 3.4.3 Control activities 42

3.4.4 Information and communication 42

3.4.5 Monitoring 42

3.5 Interviewees 43

3.5.1 Harrie J.W. de Poot (Rabobank) 43

3.5.2 Bas van Meegeren (Binck Bank) 43

3.5.3 Dirk-Willem Huizinga (SNS Bank) 43

3.5.4 Keimpe T. Kloosterman (Friesland Bank) 43

3.5.5 Marco Rijlaarsdam & Willem Buijs (ING) 44

3.6 Participating Banks 44 3.6.1 Friesland Bank 44 3.6.2 Rabobank 45 3.6.3 ING 45 3.6.4 SNS Bank 46 3.6.5 Binck Bank 46 4. Discussion 47

4.1.1 General control environment 47

4.1.2 Risk assesment 47

4.1.3 Control activities 48

4.1.4 Information sharing and communication 48

The Development of Internal Audit Departments at Banks Page 8

4.1.6 Room for improvement 49

4.1.7 Better governance 49

4.1.8 Future research 50

5. Conclusion 51

6. Literature overview 53

7. Appendix 57

Appendix A: Questions for the interview 57

Appendix B: Meeting minutes I 59

Appendix B Meeting minutes II 61

Appendix B: Meeting minutes III 63

Appendix B: Meeting minutes IV 65

Appendix B: Meeting minutes V 67

Appendix C: Questionaire 69

The Development of Internal Audit Departments at Banks Page 9 ABBREVIATIONS

AFM Autoriteit financiele markten (Authority on Financial Markets) AICPA American Institute of Certified Public Accountants

CGR Corporate governance regulations DNB De Nederlandse Bank (the Dutch Bank)

EA External auditor

IA Internal auditor

IAD Internal audit department IIA Institute of internal auditors

NIVRA Nederlands instituut van Registeraccountants (Dutch institution of Certified Public Accountants)

NOvAA Nederlandse Orde van Accountants-Administratieconsulenten (Dutch Association of Accounting Consultants)

NVB Nederlandse vereniging van banken (Dutch Association of Banks) NV COS Nadere voorschriften Controle- en overige standaarden (rules for

control and other standards) PCAOB Public Company Oversight Board SAS Statement on Auditing Standards

ROB Regeling organisatie en beheersing (regulation organization and control)

The Development of Internal Audit Departments at Banks Page 10

1. INTRODUCTION

This chapter clarifies why the research has been performed and why it was relevant to conduct this research, and especially why it is interesting in the current time and environment. Firstly, several events and findings are described which will lead to some interesting issues that are worthy of investigating. Secondly, the research question is stated. Thirdly, sub-questions have been set up to create a foundation for the answer to the central research question. Finally, the outline of the report is given.

1.1

Due to new amendments there has been a noticeable change in corporate governance for especially banks. From the first of January 2009 firms have to comply with the new Dutch Corporate Governance code which was adapted under the guidance of chairman Frijns. Banks also have to comply to the new Banking Code from the first of January 2010. The board of the Dutch association of banks (NVB) has formed a Banking Code. This new Banking Code has been presented to restore trust and assurance after the failure of risk assurance which led to the credit crunch. This code is a kind of self regulation set-up by banks, based on a report „The future for banks‟ written by the advisory committee (Commission Maas). The spearhead of these principles is aimed at increasing governance within banks, as well as risk management, audit, and remuneration policies.

Although not a lot of attention was paid to the internal auditor in the report of commission Maas the Banking Code paid special attention to the role of the internal auditor (Dekker, 2009). In the adapted Corporate Governance Code an increasing part was spent on the role of the internal auditors. These developments show that the role of the internal auditor has become more emphasized recently (Wielaard, 2009). Corporate governance has become more and more interesting due to events like the bankruptcy of DSB and the credit-crunch.

Besides this shifting of emphasis, the relationship between internal and external auditors has become more important due to the current governance climate (Paape, et al., 2005). This article claims that with the increasing emphasis in corporate governance there will be increased cooperation between the internal and external auditor. Besides the pressure of the current governance climate the relationship has economic benefits because of the reliance of external auditors on internal auditors work to prevent duplication of work (Glover, et al., 2008). And the internal auditors will have more value for the firm (Krishnamoorty, 2002). This enhanced value is supported by the fact that, audit fees were approximately 18% lower when external auditors relied on the work of the internal auditor (Felix, et

The Development of Internal Audit Departments at Banks Page 11

The work of internal and external auditors overlap because they both provide assurance. Business strives to ensure that the audit is done efficiently and that work is not duplicated by the external auditors if the internal auditor already has already audited it. If the audit is conducted efficiently the total audit fees charged can be reduced (Lampe & Sutton,.1994). Although this sounds promising an external auditors cannot automatically use the work of internal auditors. This also applies to the internal auditor who does not always utilize time and resources effectively to perform audits by procedures assigned by the external auditor (DeZoort et al., 2001).

The IIA and NIVRA report of 2009 concluded that there were still possibilities to increase effectiveness and efficiency. Although there are economic benefits to increase efficiency it is unknown why these possibilities remain unutilized (IIA & NIVRA, 2009). Both groups of internal and external auditors still see possibilities to increase the quality of the cooperation. At the executive level (efficiency) and at strategic levels (effectiveness) possibilities to improve are recognized(IIA & NIVRA, 2009).

The Development of Internal Audit Departments at Banks Page 12

1.2

It has been concluded that there are deficiencies in the cooperation with the external and internal auditor even though there is an increasing emphasis on the role of the internal auditor in corporate governance. That is why it has become interesting to investigate whether the corporate governance codes affect the role and work of the internal auditor. And if so, whether this has made any difference to the relationship between the internal and external auditor.

The central research question of this paper is:

In what way have the IAD at banks changed and how has this affected the relationship of the banks’ IAD with the external auditor because of new corporate governance regulations?

Underpinning this question are a number of penumbral concerns that this study also addresses. These may be summarized as:

What is the value of an IAD for a financial institution?

How was the IAD developed in Dutch banks that went bankrupt in the last decade?

Has the emphasis of the role and position of the IAD grown in the corporate governance regulations?

What factors influence the reliance decision of the external auditor?

On what factors does the quality of an IAD depend ?

Is outsourcing an IAD to the external auditor an option to increase efficiency?

1.3

The Development of Internal Audit Departments at Banks Page 13

2. THEORY

At the beginning of the chapter the actors of the corporate governance are pointed out. When this is clear a study will be presented about the development of the corporate governance in the Netherlands. After this a conclusion states what mainly has changed in the CGR (Corporate governance regulations). Furthermore, some core elements of foundations between the Internal Audit Department and the external auditor are pointed out.

2.1

2.1.1

Every activity performed in an organization is made up to cover an emerging need. Although it seems logical that every major firm has an internal auditor, internal auditing was not recognized as a major topic of interest by many enterprises and external auditors until the 1930s. The internal auditing aspect became interesting because the world had just gone to a major economic depression (Robert, 2009). As a corrective measure the Securities and Exchange Commission (SEC) required that listed enterprises to provide financial statements certified by independent auditors. This measure resulted in corporations establishing internal auditing departments. The firms created these departments to assist the external auditor. The Institute of Internal Auditors was set up in 1942 in New York City. The IIA was formed by people who had been given the title of internal auditor by their enterprises and who wanted to both share their experiences and gain knowledge with others in this new professional field1.

2.1.2

The definition of internal auditor is according the IIA:

’Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes’2.

The Development of Internal Audit Departments at Banks Page 14

The definition of the internal auditor in NV COS (NIVRA & NOvAA, 2010) is defined as follows:

‘’ Individuals who perform activities of the internal audit function. Internal auditors can belong to an internal audit department or belong to a department who perform a similar function.’’

The definition of the internal audit department is:

‘’An assessment activity established or provided as a service to the entity. Its functions include examining, evaluating and monitoring the adequacy and effectiveness of internal control’’

2.1.3

Internal audit staffs can operate with either narrow or broad charters, and the breadth of the charter is one of the major determinants of the size of the staff. A narrow charter, which would necessitate a relatively small internal audit staff only, leads to mostly compliance audits and preparation for the external auditor‟s control activities to reduce audit fees (Merchant & van der Stede, 2007). At the other extreme, some staffs operate with a broad charter and that can include many forms of performance auditing, involvement in the design and improvement of business processes and internal control system. Furthermore, it can, as Richards (2001) further notes provide additional value to the firm by well-structured management consulting.

The IAD investigates if the planning and functioning of processes concerning the area of risk management, control and governance are sufficient to realize the goals of the organization. It will give „assurance‟ and advises the management responsible, the board and the Audit committee. To realize this function several audits are performed, the most audits which are performed are the following:

1. Financial Audit:

An audit of financial statements enables the auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an identified financial reporting framework (Merchant & van der Stede, 2007)

2. Operational Audit:

An audit of (parts of) the management control (or internal control) system of an organization to provide additional assurance whether this will enable the organizations to reach its objectives and, if needed, provide advice for improvement (Merchant & van der Stede, 2007) 3. Compliance Audit:

An audit to assess whether the organization adheres to certain specific requirements of policy, procedures, standards, or laws and governmental regulations (Jurgens & Stijnen, 2008)

4. IT-audits:

The Development of Internal Audit Departments at Banks Page 15

Table One provides an overview of the percentage of IAD spending that is allocated to specific audits.

Year 2001 2004 2007 Financial Audit 31 25 23 Operational Audit 34 36 35 IT/EDP Audit 15 13 14 Fraud Audit 2 2 3 Compliance Audit 8 10 12

Ethical audit/tone at the top 0 1 2 Audits of incentive and reward systems 1 2 2

Consulting 8 10 8

Other 1 1 1

Total 100 100 100

Table One: Time spent per audit type as a % of total (Paape, 2007)

The Development of Internal Audit Departments at Banks Page 16

2.2

Given the parameters and focus of this research it is imperative to note how corporate governance regulations have changed during the last few years. In the introduction of this research something is already said about the increasing role of the IAD in the corporate governance framework. It is important to know what is actually meant by corporate governance.

The following definition of Corporate Governance is a generally accepted definition:

‘Corporate governance is about managing and controlling, about responsibility and distribution of power and about accounting and supervision’ (commission CG, 2003).

The corporate governance code states what good practices are for assurance and risk reporting and which role an actor in governance should have. This includes a firm possessing an internal risk and assurance system and to ensure that a firm stays in control(Groot, 2006).

As a result of the corporate governance framework the definition good governance is often used. Good governance indicates a system of effective standards and rules for good administration and of supervision on the enterprise, a system of justified accounting and balanced influence of the stakeholders (Peij,2008). Figure one provides an overview of the parameters of good governance

The Development of Internal Audit Departments at Banks Page 17

Figure One shows that relevant information should be accessible to the stakeholders. Furthermore, the annual reports of the banks should meet proper standards. By exercising accountability, organizations also show that they are in control. This means that their leaders ensure satisfactory management and control of both primary and secondary operational processes. To complete this management and control system, public organizations should have an adequate internal auditing unit. To ensure compliance with the other primary standards for good governance, it is important to be in control in this sense. Policy must be implemented effectively and efficiently, and this policy should be based on the demand of the shareholders and of the customers.

Over the past 10 years, there has been a loud call for “better” governance of organizations. This call began with a focus on major public companies and has expanded to cover a broad range of organizations. As indicated in figure 1(0r 2?) at least three key factors underlie the call for improved governance.

Figure Two: Demand for governance (Hermanson & Rittenberg, 2003) Changes in Share

Ownership patters (institutional investors Continuing Organizational

Disasters (Fraud, bankruptcy etc.) (

The Development of Internal Audit Departments at Banks Page 18

2.3

This chapter gives a clear overview who actually influence the governance of a firm and also who might influence the auditors, directly or indirectly. This will also create a better understanding of the position of the internal auditor.

2.3.1

The executive board is responsible for the realization of the goals and the guidance of the organization. Instruments which enable for the guidance of the organization are internal risk management and control systems. This conceals not only the care of realizing the strategically and operational goals but also that the reporting is reliable and that law and rules are followed. The IAD can support the board heavily in this important task. The IAD can give additional assurance about the degree of how the risks are controlled and in the way law and rules are followed (IIA et al., 2008)(Chair Frijns, 2008). The board of directors is accountable for this to the supervisory board and to the general meeting.

2.3.2

The supervisory board has the role to supervise the executive board and provide them with advices. In discharging its role, the supervisory board shall be guided by the interests of the company, and shall take into account the relevant interests of the company's stakeholders. The composition of the supervisory board shall be such that the members are able to act critically and independently of one another, the management board and any particular interests(OECD, 2004). The Audit committee also evaluates the work performed by the internal audit department and the external auditor. At least once a year the audit committee negotiates the outcomes of the evaluations of the quality of the control. (IIA

et al., 2008)

2.3.3

The Development of Internal Audit Departments at Banks Page 19

2.3.4

In the first place line management makes sure that goals are realized and that the controls remain effective. This is also called the first line of defense. The results of the audits by the Internal audit department can help the line management to increase the control power (IIA et al., 2008).

2.3.5

In many organizations there are other assurance-functions like risk management, compliance and special internal controls. These functions often have a more operational role. This forms the „second line of defense‟. They are often responsible for developing policy and take care of the implementation of new rules to monitor the way the new policy is followed. Because they are part of the internal control system of the organization the IAD judges the effectiveness of the assurance functions. Furthermore, the IAD can identify gaps and inefficiencies between these functions to increase the effectiveness of the internal control systems. So, the internal auditors are often called the „third line of defense‟ (IIA et al., 2008).

2.3.6

The AFM (Autoriteit Financiële Markten [Authority on Financial Markets]) And the Dutch central bank (De Nederlandsche Bank NV (DNB)) are external supervisors for banks in the Netherlands. All these regulations are embedded in the Financial Supervision Act (Wft).

DNB has the task of prudential supervision of financial firms and to decide on the admission of financial undertakings in the financial markets. Prudential supervision focuses on the solidity of financial institutions and contributing to the stability of the financial sector (art 1:24 Wft).

The AFM has the task to conduct behavioral supervision on financial markets and to decide on the admission of financial institutions to those markets. Behavioral supervision is focused on orderly and transparent financial market processes, clear relations between players on the market and careful treatment of clients by those players(art 1:25 Wft).

The Development of Internal Audit Departments at Banks Page 20

2.4

The additional value of the IAD lies on the one hand in the specific combination of independence and objectivity when conducting the researches and on the other in their knowledge of the business, culture and the internal relations of the organization. To guarantee this independence of the IAD it should be placed as high as possible in the organization (IIA et al., 2008).

Banks, that are often very complex with diverse services and operations gain by having internal auditors by these many years and accumulated knowledge the daily commitment, so that the IAD have an in depth and current knowledge of operations. The pooling of this business knowledge by the IAD meansthat they should be taken seriously by the Board of Directors and the Supervisory Board. Also it can give advice that can form the basis for improved control of processes, especially where the risks are too high (Schouten & van Hulsen, 2009). External auditors or internal audit service providers has to gain knowledge about the business and operations before they can begin with internal auditing (Burch, 2011).

Internal audit's role here is to help management and the board clearly articulate these risks and rank them in order of impact to the firm, as well as their likelihood of occurring. And given internal audit's independent position within the company (the group usually reports to the board or audit committee), the board can be assured that it is receiving unbiased information. In addition to identifying and ranking these risks, internal audit can help assure management and the board that key risks are appropriately controlled. Internal audit can also play a significant role for companies in industries that are highly regulated by ensuring to management and the board that the firm is taking the appropriate steps to ensure compliance. (Jeffrey, 2008)

2.4.1

Internal auditors in financial institutions are a vital link in the control framework. This is because, according to Schouten and van Hulsen (2009), external auditors believe that the IAD is becoming more professional which creates more support within the organization It is noted by external auditors that the IAD is becoming more professional which creates more support within the organization. The professionalization is primarily noticed in their documentation and the well-structured audit methodology. These improvements are mainly caused by the increased awareness of the importance of a well developed IAD and because of peer review which are in general more often conducted3.

The Development of Internal Audit Departments at Banks Page 21

Because of this the external auditor will be able to make more use of the findings of the IAD. Therefore the IAD has in general added value for the external auditor. Because the work performed by an IAD can contribute to a better audit and the external has to spend less time on audit engagements. An IAD can add value by focusing on the business risks that are predominant for the firm. By doing this the IAD may prevent or deter the loss. With the audit committee‟s and management increasing demands from internal audit, quality continues to grow in importance. As a result the quality and importance of the IAD is increasing (Ernst & Young, 2008). For financial institutions the value is also increasing and the IAD is on their agenda. In meetings with the external auditor by the results of audits performed, the planning and proceedings are discussed more frequently and more profoundly3.

2.4.2

The Development of Internal Audit Departments at Banks Page 22

2.5

Risk management is the basic function of financial institutions. The crisis has shown that it often was not effective style. Risk managers were seen as deal breakers giving them too little real influence on decision making, the focus was heavily on a sophisticated use of risk models and too little on common sense effectively manage risk, and financial chain was too vague leaving no sight was the link between different markets and different types of risk (Chair de Wit, 2010). But how „well‟ developed was the IAD at banks that went bankrupt the last decade and how important was their function in the organization?

2.5.1

DSB was created from several mediation companies founded by Scheringa. They mediate in the granting of credits. The profit was mainly made by offering insurance while granting credits. Over time, DSB performed these activities by themselves. In 2000, a regular banking license was granted to the DSB Bank, which by then was a small organization. In 2005,the new DSB was forming by joining the brokerage and banking activities..In late 2005, this bank was issued a banking license. Criticism from society and stringent regulations to protect consumers resulted in DSB having to change their business model. Because of the credit crunch and granting a credit to DSB Beheer in 2007 the solvency became under big pressure. The bank run which was called for by Laakeman ultimately resulted in the bankruptcy of DSB (Scheltema et al., 2010).

While issuing the banking license in 2005 the DNB remarked that the administrative organization of the DSB was obviously below par, the IAD was still under construction and there was a messy situation with respect to compliance. In 2007 DNB recognized that the IAD at DSB had made progress. Although the IAD had made progress the situation far from satisfactory. The Executive Board and Supervisory Board did not use of the IAD as a management tool. Next to this the progress reports from the IAD gains little insight in the risks of DSB, the quality of risk management and not addressing shortcomings (Scheltema et al., 2010).

The Development of Internal Audit Departments at Banks Page 23

2.5.2

Van der Hoop Bankiers (1895-2005) was an asset, mortgage and savings bank. New activities which were started from 1995 were often inadequately prepared and caused many problems.Profits were marginal from 2001, the solvency decreased and the organization weakened. When trading in profit companies (firms that perform no activities on date of transaction and has a tax liability) in 2000 and 2001, the guidelines were not adapted and internal rules not followed. Irresponsible risks were taken which resulted in claims of such magnitude that they were a threat of the existence of the bank. The announcement of these claims in May 2005 resulted in a first bank run. In the settlement of the Tax claim Van der Hoop reached the limit of its financial resources, resulting in weakening the bank‟s financial position. After that the bank was no longer solvable. This only became clear when they realized the outcome of the due diligence examination.(Haan & Schimmelpenninck, 2006)

To control the organization, the Finance Department, Planning & Control and the Internal Audit and Compliance Division played an important role. The Department Finance, Planning & Control formed one department with the IAD. In response to a remark by DNB and the introduction of the ROB, the division was separated into separate departments The ROB at Van der Hoop was almost fully implemented although in 2003 van der Hoop Bankiers was not ROB compliant. The set up was that the IAD made reports based on their research and were aligned with the audited department or the responsible managers. The IAD also provided written advice they said. Summaries of their performed work and its progress, were included in the quarterly reports for the Executive Board and Supervisory Board (Haan & Schimmelpenninck, 2006).

A research by the receivers only found a few reports of the IAD. This included undated and unsigned reports. The receivers did not find any registration of the published reports issued by number and date or binders which systematically ranked the reports of the IAD. However, quarterly reports were found with the objectives of the year and its implementation. The audits involving the IAD were mentioned in these quarterly reports.

2.5.3

The Development of Internal Audit Departments at Banks Page 24

2.6

The corporate governance developments in the Netherlands are influenced by international developments in financial markets. Under the influence of the European Union guidelines have been introduced which stimulate the use of committees, the independence of the board of directors and the transparency of the corporate governance practices. After a number of scandals the government was forced to take action. Until then the financial markets and the listed companies had prevented this tight regulation by strong self regulation. They have been working hard professionalizing the internal governance, the dialogue with the shareholders and stakeholders and improving the governance structure (Peij, 2008).

2.6.1

The first corporate governance code in the Netherlands was established in 2003 and was set up under chairman Tabaksblat. It is true that in 1997 the 40 recommendations of Peters had appeared but they were not legally binding and were therefore not sufficiently followed (Young & Roose, 2002). These conclusions were an incentive to settle a set up a committee for corporate governance which should create a new code for best practice. In December 2003 the committee Tabaksblat published the corporate governance code which was legislated by the Dutch government in 2004. From the first of January 2005 Dutch listed companies were obliged to follow the Code as was written in the „comply or explain‟ principle in their annual reports (Tabaksblat, 2003).

Contrary to the recommendations of Peters the role of the internal auditor was looked into in the Dutch Corporate Governance Code of chairman Tabaksblat. From 2005 studies conducted by the Monitoring Committee (chair Frijns) shows that these parts of the code were well respected(Frijns et al., 2005). The role of the internal auditor is stated in the following.

‘V.3 Internal auditor function

The internal auditor, who can play an important role in assessing and testing the internal risk management and control systems, shall operate under the responsibility of the management board

(Tabaksblat et al., 2003)

Best practice provision V.3.1

The Development of Internal Audit Departments at Banks Page 25

It seems that the Committee aimed at enhancing checks and balances by also allowing for the Supervisory Board/Audit Committee to be in contact with IA. With regard to these risk management and control systems, the Management Board is supposed to disclose their adequacy and effectiveness in the annual report. They should also report on their operation, describe any significant changes that have been made throughout the year, mention planned improvements, and confirm that they have been

discussed with the Audit Committee and the Supervisory Board (best practice II.1.4, 10). For this

purpose , again, the Supervisory Board/Audit Committee could rely on IA, because the Code also stated that it could play an important role in assessing and testing the company's internal risk management and control systems

2.6.2

The Commission Frijns was constituted after a report which represented the balance after three years of monitoring whether the actors responsible for governance complied with the Code of Commission Tabaksblat. The Commission Frijns had with several proposals to adjust the Code. These adjustments considered the remuneration of the board, diversity and compositions of the supervisory board, responsibility of shareholders and the role of the board of directors and the supervisory board‟s role in takeovers. In 2008, the corporate governance code was adjusted (Frijns, 2008).

The main changes of this report with the former corporate governance is that it is said to influence the professional attitude of the directors, commissioners and shareholders. In this way it addresses the criticism of the Corporate Governance Code that it resulted in a ticket-the-box mentality. This code primarily focused on the professional attitude of the directors and members of the Supervisory Board. In Tabaksblat the focus was primarilyon the integrity aspect (Wielaard, 2009).

For the internal audit department two additional best practices were added namely:

V.3.2 The internal auditor shall have acces to the external auditor and to the chairman of the audit committee

The Development of Internal Audit Departments at Banks Page 26

2.6.3

When SOX was presented in 2002 it was immediately and widely recognized as a landmark in the development of Corporate Governance in the world. This Act has extraterritorial effect because the law applies to any company that is listed on a stock exchange in America, without prejudice to the establishment of the company in another country. The provisions of this law are far-reaching for the organization and the external auditor who audits such organizations (Mallin, 2007). This is because although no rule directly applies to the internal auditor, the law can have consequences for the internal auditor. This is for two primary reasons. First, if the internal audit function works for the statutory audit, the external auditor requires that the work is performed as the rules require. This is a result of PCAOB Auditing Standard No 34.Secondly, especially Section 404 affects the internal audit function. Section 404 of the SOX provides that the company has an internal control framework for financial reporting, to test this control framework and that managers signs a written statement regarding the design and operation The audit of the annual report must comply to all legal or other rules on financial reporting, such as the International Financial Reporting Standards (IIA, 2008b)

2.6.4

Internal banking guidelines presented the banking sector by the Basle committee. The principle set in Basel III is designed both to reinforce basic principles that can help minimize problems and to identify practices that can be used to implement the principles. Together these represent important elements of an effective corporate governance process.

The board has overall responsibility for the bank, including approving and overseeing the implementation of the bank‟s strategic objectives, risk strategy, corporate governance and corporate values. The board should therefore have a clear understanding of their role in corporate governance and be able to exercise sound and objective judgment about the affairs of the bank. Banks should have an effective internal controls system and a risk management function with sufficient authority, stature, independence, resources and access to the board. Risks should be identified and monitored continuously. The board and senior management should effectively utilize the work conducted by internal audit functions, external auditors and internal control functions. The board and senior management should know and understand the bank‟s operational structure and the risks that it poses The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants.(Basel committee, 2010)

The Development of Internal Audit Departments at Banks Page 27

2.6.5

Specific regulations about Internal Audit have only been established for financial institutions, such as banks, which are supervised by DNB. These mandatory rules can be found in the ROB (DNB, 2001). In articles 21 and 22, DNB stated that an institution should have a permanent IAD to systematically test and evaluate the sufficiency of the organizational structure and control mechanisms. DNB also wrote about IA's position, role and scope of services, stating that the entire internal control system should be in its audit scope. According to them an IA should also pay attention to the areas of integrity and integrity control. It also specifies some of the tasks of the Audit Committee and Supervisory Board and mentions that the Audit Committee should have regular meetings with IA and EA to inform them about its conclusions about their activities. The specific focus point is organizational structure and the internal control system. As far as organizational position is concerned, it should report directly to the Management Board and have access to the Supervisory Board/Audit Committee if and when necessary (Nivra, 2010). Quote of article 21 and 22:

‘Article 21

The institution is responsible for a systematic review and assessment, both within the line as the IAD ,the adequacy of the organizational structure and the control mechanism and has established procedures that follow after any shortcomings or flaws, partly under the supervision of the IAD , leading to an appropriate adjustment

Article 22

The institution has a permanent IAD reporting directly to the highest leading persons. This function has:

Sufficient expertise to perform the work to audit and judge about the first line of defense; sufficient; Sufficient independence to report the results on their own initiative directly to the Chairman of the Board;

Sufficient resources to work responsibly, and where necessary to conduct autits on own initiative; Free access to all activities, ,staff, locations and computerization.’

2.6.6

The Development of Internal Audit Departments at Banks Page 28

effective, market-oriented and transparent legislation for the financial markets. Furthermore, the tasks of DNB (prudential supervision) and the AFM (supervision of conduct) are separated in a way that there is no overlap. Moreover, the rules financial institutions must adhere to in the Wft, simplify and reduce the administrative burden on business.

The Wft shows that the IAD must focus on the effectiveness of the organizational structure and procedures. DNB was previously more explicit with the ROB in the determination of the scope of the internal audit activities, e.g. that the scope of the internal audit activities should cover all activities and parts of the institution. Although no substantive change may be assumed, the new rules are less explicit (Nivra, 2010).

2.6.7

The Dutch Banking Association (NVB) has settled the Banking Code after the report entitled „Restoring Trust‟ („Naar herstel van vertrouwen‟), was presented. This report was presented by the Advisory Committee on the Future of Banks (Adviescommissie Toekomst Banken). The foundation of the Banking Code van be found in the recommendations from chapters 1 and 2 of the Advisory Committee‟s report 5_{. All banks in the Netherlands are influenced by the Banking Code (NVB, 2009).}

The Banking Code focuses in particular on the role of the bank‟s executive board and supervisory board and on the function of risk management and auditing at banks. The Banking Code also contains principles about remuneration. The Banking Code does not stand on its own but is instead part of the full set of national, European and international laws and regulations, case law and codes, which is viewed in its entirety (NVB, 2009).

The following rules have been cited from the Banking Code which directly influences the IAD:

‘5.1 The executive board shall ensure that a systematic audit is conducted of the management of the risks related to the bank's business activities.

5.2 Each bank shall have its own, internal auditor who shall occupy an independent position within the bank. The head of the internal audit team shall present a report to the chairman of the executive board and shall report to the chairman of the audit committee.

5.3 The internal auditor shall have the task of assessing whether the internal control measures have been designed properly, are present and are working effectively. This assessment shall include the quality and effectiveness of the system of governance, risk management and the bank’s control procedures. The internal auditor shall report the findings to the executive board and the audit

The Development of Internal Audit Departments at Banks Page 29 committee.

5.4 The internal auditor, the external auditor and the supervisory board’s risk committee and/or audit committee shall consult periodically, including as regards the risk analysis and the audit plan of both the internal auditor and the external auditor.

5.5 As part of the general audit assignment for the financial statements, the external auditor shall produce a report for the executive board and the supervisory board which shall contain the external auditor’s findings concerning the quality and effectiveness of the system of governance, risk

management and the bank’s control procedures.

5.6 The internal auditor shall take the initiative in arranging talks with De Nederlandsche Bank and the external auditor at least once a year to discuss each other’s risk analysis and findings and each other’s audit plan at an early stage’ (NVB, 2009).

2.6.8

Based on our research it can be concluded that during every change of the CGR the role of the IAD is has been emphasized more and more. In the first Dutch corporate governance code the IAD was not even mentioned(Peters). The second corporate governance code (Tabaksblat) emphasized the transparency and effectiveness of the management and control structure. And the adapted version in 2008 mainly focused on the professionalism of the board of directors and the supervisory board instead of their integrity. In this code the Internal Audit department has an increasing value. It was stated that if there is no this Audit Department, the Audit committee should evaluate every year whether they should install it (Wielaard 2009). But for Banks it is obligatory to settle an IAD which was arranged in the ROB of 2001.

The Development of Internal Audit Departments at Banks Page 30

2.7

The role of the internal audit department is determined by the board of the entity and its goals differ from an external auditor. The external auditor´s purpose is to give an objective assessment of the annual report. The primary objective of the external auditor is to assure that there are no material misstatements in the annual report. While the objectives of the internal auditor depend on the wishes of the board. Nevertheless, some means of achieving their respective objectives are often similar and thus certain activities of internal auditing are important in determining the nature, timing and extent of the work of auditors. The judgment of the external auditor about several aspects of an internal audit department influences how he will make use of the work performed by the internal auditor (NIVRA & NOvAA, 2010). For financial institutions whereby the audit requires high levels of company specific expertise can lead to greater efficiency when internal auditors cooperate more with external auditors(Morrill & Morrill, 2003).

2.7.1

The main standard in the Netherlands that governs the relationship between the Auditor and the internal auditor is NV COS 610: Making use of the work performed by the IAD (NIVRA & NOvAA, 2010). The objective of this standard is to enable the EA to make use of the work performed by the IAD and to check whether the work of the IAD has been performed sufficiently for the goal of the audit.

In this standard the following aspects are described: the scope and objectives of the internal audit function, the relationship between internal audit and external audit, understand and initial assessment of the internal audit function, the coordination of the work, and assessing and testing the work of the IAD. To confirm that the performance of the IAD is sufficient for the goal of the audit several points have to be evaluated. Namely the objectivity of the IAD, the expertise of the IAD, the question whether the IAD performed their work professionally and if there is enough communication between the IAD and the EA

The Development of Internal Audit Departments at Banks Page 31

2.7.2

One of the best examples of a guideline that describes the distribution of the roles of the IA and the EA is described in practice guideline 1110. This guideline was provided just after the settlement of the Banking code. The goal of providing this guideline is to give a direction for both the IAD and the EA about their roles resulting from the Banking Code. It is pointed out in this guideline is that governance is emphasized strongly in the banking code (NIVRA, 2010). What makes this guideline special is that it provides attention points for both parties and not only one of both. Also it explains changing governance issues that are closely related to their work.

The guideline ends with a paragraph which discusses whether the EA should use the work performed by the IAD. It states that the IAD makes a statement about the governance of the bank and that the EA should recognize these outcomes and discuss these outcomes with the IAD. If the external auditor notice restrictions or defaults the EA should communicate this to the board of directors and the supervisory board (Nivra, 2010).

2.7.3

The AICPA (1991) Standard 65 "The Auditor's Consideration of the Internal Audit function in an Audit of Financial Statements”, provides the EA guidance on considering the work of the IAD and an using the work performed by the IAD.

It states that it is important for the EA to obtain an understanding of the IAD by doing inquiries. In this way the EA finds out the status of the IAD in the organization, how professional standards are applied, the audit plan of the IAD and to check whether there are limitations on the scope of the IAD activities. Furthermore, the competence and objectivity of the internal auditors should be taken into account when considering using the work of the IAD. This can be done by looking at qualifications of the IA and evaluating the IAs performance (AICPA, 1991).

The Development of Internal Audit Departments at Banks Page 32

If the EA makes use of the work performed by the IAD it is efficient for the EA and the IAD to coordinate their work. This should include periodic meetings, scheduling audit work, providing access to internal auditors' working papers, reviewing audit reports, and discussing possible accounting and auditing issues.

2.7.4

Just as AICPA the IIA also released a standard namely Standard 2050 „Relying on the work of other assurance providers‟. It has also the same characteristics as SAS 65 but then from the perspective of the IA instead of the EA.

Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In this case the IAD should take the necessary steps to understand the work performed by the external auditors(IIA, 2010). It might be efficient for internal and external auditors to use similar techniques, methods, and terminology to coordinate their work effectively and to rely on the work of one another (Picket, 2010). Planned audit activities of internal and external auditors need to be discussed to ensure that audit coverage is coordinated and duplicate efforts are minimized where possible. Sufficient meetings are to be scheduled during the audit process to ensure coordination of audit work and efficient and timely completion of audit activities, and to determine whether observations and recommendations from work performed to date require that the scope of planned work be adjusted. The internal audit activity‟s final communications, management‟s responses to those communications, and subsequent follow-up reviews are to be made available to external auditors(IIA, 2010).

AUDITING STANDARD NO. 5

The Sarbanes-Oxley Act of 2002 applies to the external auditor who audits the annual report of an organization. The internal audit function is not mentioned in SOX. Auditing Standard No. 5 shows that the external auditor should evaluate the degree to which it supports on the work of the IAD6. No. 18 of auditing standard No.5 shows that the greater the competence and objectivity of the internal auditor, the more the external auditor may use the work. If there is a low degree of objectivity their work is not used. Furthermore, the risk of the control measure should be taken into account when evaluating whether or not to make use of the work of the internal auditor. If this risk is high, the EA have to perform more work themselves. In the case of entity-level controls assessment and forming a

The Development of Internal Audit Departments at Banks Page 33

conclusion on the control measures, the external auditor should take notice of the activities or reports executed by the internal auditor. In addition, the Auditor coordinate work with the internal auditor relating to research in various locations or business units.

2.7.5

Based on all these guidelines that are provided the most important factors can be derived in the reliance decision of the EA. It all starts with understanding the business and the control framework. This seems logical to perform an adequate audit but it is also necessary to understand the audit plan of the IAD and how the IAD works.

In addition, this objectivity and independence is a very important factor. It is important that the IAD can perform audits on what they consider to be a priority and not be restricted by those in charge of governance. Next to this the IAD should not have conflicting tasks that could harm their objectivity. To stimulate independence the IAD should report to those in charge of governance.

The Quality of the work and the employees is another important factor. If audits are not properly executed or documented the EA cannot rely on the work performed by the IAD.

Communication is an important aspect. Should the EA and the IAD wish to cooperate or rely on each

other‟s work it is logical that they have to communicate. If there is a lack of communication there will be a lack of coordination and a lack of understanding.

To prevent work from being duplicated Coordination has to be performed properly. Meetings should be held to coordinate in a proper manner under. If coordination is optimal a high level of efficiency can be realized.

From the various rules and guidelines stated in this chapter made clear that the auditor may use the work of the internal auditor, on the condition that the quality of the (work of) internal audit function considered satisfactory. Especially when the internal audit function is a good expression to the principles of professional practice, it should be possible to support the work of the internal auditor considerably. There are also guidelines available for internal auditors to increase the coordination to prevent inefficiency. If these rules are properly executed the external auditor can benefit from the advantages of the internal auditor as described in the chapter about the value of the auditor. The professional rules highlight the situation of the external auditor, who uses (the work), the internal auditor. In general the internal auditor and the external auditor are very satisfied with each other (IIA

The Development of Internal Audit Departments at Banks Page 34

2.8

ELEMENTS OF A STRONG IAD

When building an IAD strategic and tactical considerations have to be dealt with, from strong stakeholder support to designing an audit methodology. There is a need to understand how the organization wants to appoint and benefit from and IAD. Listening to key stakeholders as well as to the users of the IAD can help develop the desired quality of the he IAD. And listening can help to the right mix of assurance and consulting services performed by the IAD. Furthermore it is very important what are the critical success factors of an IAD. These critical success factors will be presented in this paragraph.

2.8.1

Whether building an IAD or modify an existing one key stakeholders always need to be identified and met to discuss their vision and expectations for the IAD. For the reason that when an IAD is being changed or implemented, it is generally the case that some individuals or groups within the organization will exercise resistance. Having the support and commitment from key stakeholders will help minimize this resistance. (PWC, 2009)

A good place to start are the members of an audit committee. Other key stakeholders which are important to include are the CEO, chief financial officer, chief operating officer, president, chief ethics officer, chief compliance officer, corporate legal counsel, chief risk officer, and business unit leaders. Building strong relationships with these stakeholders will help ensure success (IIA, 2007).

2.8.2

The internal audit charter should clearly establish the role and responsibilities of the IAD. If the charter is deficient the IAD will probably perform more non-core activities or just fail to perform their work comprehensively. The charter should explicitly describe the scope of the IAD‟s activities as well as informing others of the role of internal audit for specific guidance (IIA, 2007)

The Development of Internal Audit Departments at Banks Page 35

2.8.3

An audit plan should be developed based on a risk assessment. The percentage of the audit plan that can be completed in the prearranged time period (usually a year) will depend on the risks identified and the internal audit resources and staff. There should always be room in the audit plan for management requests to make sure that the audit plan can be performed properly(IIA, 2007).

The IAD should ensure that the risks within the banking industry are understood. Most companies face financial, regulatory compliance, operational, reputational, and IT risks. An organization‟s risk types should be clearly defined and agreed on by stakeholders (Rossiter, 2007). Groups responsible for risk management and compliance should be involved in the risk assessment planning process. Areas such as enterprise risk management, corporate compliance, regulatory compliance, and quality assurance can provide valuable input into the risk assessment methodology (IIA, 2007).

To perform the audit plan, audit processes, tools, policies and procedures, and communication protocols must be established. Technology is almost universally perceived as being critical to increasing both the efficiency and effectiveness of an IAD (PWC, 2010). Investments in, and use of, technology and knowledge are continuing indicators of highly effective IADs (Ernst & Young, 2008). In addition to policies and procedures to support individual audit engagements, policies and procedures for audit administration must be developed. The CAE will need to establish work paper retention standards, communication protocols, staff training and development, documentation standards, and rules for how and when to use external resources to conduct audit work. A strong audit methodology will guarantee clarity of purpose and objectives to stakeholders and to ensure that the responsibilities and accountabilities for the staff of the IAD are clear(IIA, 2007).

2.8.4

The Development of Internal Audit Departments at Banks Page 36

2.8.5

There are a number of standards concerning independence and objectivity. In the regulations and advisories this is a recurring item. The IIA ( Inc. Standards dealing with independence and objectivity in several items namely No. 1100 (independence and objectivity), No. 1110 (organizational independence), No. 1120 (individual independence), and No. 1130 (impairments to independence or objectivity) (IIA, 2010). This objectivity and independence can be realized by having the IAD report to highest level of persons in charge for governance. Furthermore, the IAD must be able to carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of engagements. In chapter 2.7 and chapter 2.4 the importance of independence and objectivity has already been pointed out because of their unbiased performance the supervisory board and the external auditor can rely on their work or advices.

2.8.6

The Development of Internal Audit Departments at Banks Page 37

2.9

In this chapter outsourcing of the IAD will be discussed. It seems logical that a bank will outsource the IAD to an external party because it is very specific and consequently the firm can focus on the core business. First, regulations will be discussed to see what laws apply for outsourcing for financial institutions. When this is clear an investigation will be performed to determine whether the IAD should be outsourced or retained. Furthermore, it will be investigated whether this will influence the reliance decision of the EA.

2.9.1

The effectiveness of the organizational structure and related procedures and measures must be independently audited (art 4:14 Wft). Independence means that the audit takes place separately of the controls which line management performs. Based on Wft it can be concluded that the internal audit may be outsourced only by smaller companies, but even then internal audit is preferably performed in-house. Larger companies are not allowed to outsource the internal audit to a third party (Bouwman & Westerlaak, 2008). Based on these regulations, only small financial institutions can outsource an IAD to a third party but this cannot be outsourced to their external auditor. Although the task can be outsourced to a third party the firm remains responsible and should check whether the third party has performed their duty correctly (art 3:18 Wft). DNB noted that because of these regulations all financial institutions are banned for outsourcing an IAD.

2.9.2

The Development of Internal Audit Departments at Banks Page 38

2.9.3

External auditors perceive outsourced internal auditors to be more objective and that external auditors are more willing to rely on the work of internal auditors when they perform objective tasks as opposed to subjective tasks (Glover, 2008).

IADs that report solely to the board of directors or the audit committee are perceived more able to provide protection against fraudulent reporting compared to IADs reporting to senior management. It is not stated that there is a different perception of financial statement fraud prevention between outsourced or in-house IADs. Results of the research of James (2003) suggest that increases in perceived audit expertise may occur with outsourcing, but such increases may not significantly enhance user confidence in the internal audit function because users perceive outsourced teams to have less in-depth knowledge of the company than in-house internal audit departments(James, 2003). External auditor judgments and decisions are negatively affected when an outsourced internal auditor also provides consulting services. Consistent with arguments of opponents of auditor provided non-audit services, external auditor perceptions of internal auditor objectivity appears to be impacted negatively by the provision of consulting services (Brandon, 2010).

2.9.4

The Development of Internal Audit Departments at Banks Page 39

3. RESEARCH METHOD

This chapter will explain how the research was conducted. It will also explain the chosen method. The information was gathered by carrying out a literature study which was discussed in chapter two and secondly by interviewing employees of Internal Audit Departments at banks.

In the literature study a clear view is given about the developments of corporate governance. It also states what factors have to be present for an external auditor to cooperate with an internal auditor. However, to explain how these changes have influenced the work of the auditor and whether these developments have lead to more cooperation additional information is needed. The method to collect this information was an in depth interview with a member of the IAD of a Bank.

It should be noted it is not the objective of this research to prove a causal relationship. It can be described as an explorative study to present an overview of what affects an IAD and how this influenced the relationship with the external auditor. Furthermore, the choice was made to do several case studies and not to send a questionnaire is because it was not possible to contact enough Internal Auditors with the right amount of working experience and in leading positions.

3.1

A case study is a common research methodology in social science. It is based on an in-depth investigation of a single individual, group, or event. Case studies may be descriptive or explanatory. The latter type is used to explore causation in order to find underlying principles. In this research the case study is used in a descriptive perspective (Cooper & Schindler, 2003).