INDUSTRY OBSERVATORY LA FÁBRICA DE PENSAMIENTO INSTITUTO DE AUDITORES INTERNOS DE ESPAÑA

Challenges and Expectations for the Future of Internal Audit in Banking and Credit Institutions INDUSTRY OBSERVATORY LA FÁBRICA DE PENSAMIENTO INSTITUTO DE AUDITORES INTERNOS DE ESPAÑA Challenges and Expectations for the Future of Internal Audit in Banking and Credit Institutions December 2014

MEMBERS OF THE TECHINICAL COMMISSION

COORDINATOR: Mónica Albadalejo., CIA, CRMA. NOVO BANCO. Raúl Ara. PWC. Joaquín Arribas. UNIÓN DE CRÉDITOS INMOBILIARIOS S.A. Juan Carlos Chávez, CRMA. BBVA. Antonio de Frutos. BBVA. Enric Domenech, CRMA. BDO. Jaime García, CIA. TRIODOS BANK. Eloy Martín. BANCO SABADELL. Ernesto Martínez, CIA, CRMA. GRUPO SANTANDER. Rosa Nárdiz, CIA. BANKINTER. José Ventura Olmedo. GRUPO SANTANDER. Montserrat Puy. CAIXABANK. José Luis Rey. PWC. José Luis Solís, CRMA. EY. Eduardo Villalobos, CIA. CAJAMAR.

We appreciate the collaboration of Andrew Douglas and Emilie Wilcox, CIA, CCSA, CRMA in translating this document into English. INDUSTRY OBSERVATORY

All modern economies require that their banking industry be both solvent and efficient. The global financial crisis that has so severely affected our country has truly reinforced this concept. Institutions with sufficient risk governance and adequate control environ- ments have had to overcome severe difficulties. Others, whose attention was not centred on control and risk management have simply disappeared, folded or have needed rescue with huge cost to the economy or public finances.

As Cicero said, history is the master of life. Given that, all the recent events should, and are being used to drive reflection on all areas and functions related to corporate gover- nance and control. This reflection is also being carried out with respect to internal audit as a key function of banking. All entities should have a solid and efficient internal audit func- tion that supports strong in line with the three lines of defence.

The Commission that I have had the honour to participate in, and to which I wish to ex- press enormous gratitude for their collaboration with the Institute, has provided experien- ce and deep sectorial insight to help identify the most relevant changes to business mo- dels and regulation. After analysing the changes and the reality of internal audit groups, we have summarized the challenges we are confronting and expectations we must meet.

On my part, I would like to outline the vision for the future that is the product of this study: · Internal Audit will be a very important function: with sufficient authority to be able to conclude objectively and be a driver for change and improvements to internal control systems and risk management. · Internal Audit will set more ambitious objectives: it will have to align itself with the or- ganization’s strategy and produce more relevant and impacting audit reports. · Internal Audit will be more closely integrated with the rest of the organization: it will cooperate more intensely with other lines of defence and will monitor more closely the projects, businesses and special operations that make up the reality of the organization. · Internal Audit will need more talent and resources: professionals with knowledge of risks and business. Technology will become a major driver of change in transforming the function and a key tool for attaining higher levels of efficiency.

Achieving these goals is a huge challenge, but a crucial challenge for the profession, the industry, and our country. We hope that this study contributes to vigorous debate and the generation of solutions.

Ernesto Martínez President of the Spanish Institute of Internal Auditors

3 INDUSTRY OBSERVATORY

Índice

PROLOGUE 06

EXECUTIVE SUMMARY 07

NEW BANKING BUSINESS MODELS 10

CHANGES TO REGULATION AND SUPERVISION 16

Reform of the European Banking Sector–New Regulatory Framework ...... 16

Adapting to the Single Supervisory Mechanism ...... 25

Specific Rules and Regulations for Internal Audit ...... 28

TREND ANALYSIS, PROSPECTS AND IMPACT 31

Trends that impact on the Human Resource Structure of Internal Audit Departments ...... 31

Trends that will impact on the Structre of Internal Audit Departments ...... 35

Trends that will move change in the Approach, Scope and Organization of Reviews ...... 40

Trends that will impact in the Resources and Technical Requirements ...... 45

ASSURANCE AND COMBINED ASSURANCE 47

APPENDIX · TREND TABLE 50

5 INDUSTRY OBSERVATORY

Prologue

Aware of the importance of the banking sec- To achieve this we must accompany our credit tor to the economy, and of the relevance of in- institutions through the continuous change ternal audit to the proper functioning of credit processes of all types they are experiencing. institutions, the Spanish Institute of Internal Only if we are aware of the changes occurring Our profession is Auditors has responded to the need to identify increasingly seen by in the financial environment, will it be possible the primary challenges that must be met, so regulators, supervisors for us to identify challenges for the future of that our profession can continue being a key and investors as a key internal audit and for us to drive the changes player in the good corporate governance of player in protecting an we need. the sector. organization’s value. The primary drivers of change that are moving With this objective in mind, the THINK TANK credit institutions can be divided into two lar- of the Spanish IIA has produced this docu- ge blocks: ment. Based on conversations and debates between credit institutions and consulting firms and the responses of Spain’s principal Business Model Transformation banks’ internal audit groups to a questionnai- This affects the relationship of the organiza- re, it identifies the future trends for the sector. tion with its clients, the pre-eminence of alter- Our profession is increasingly seen by regula- native distribution channels over traditional tors, supervisors and investors as a key player branch offices, technological changes and gre- in protecting an organization’s value. In the ater requirements for technical training for banking sector, as a component of the three employees, for example. lines of defence model most commonly adop- ted by organizations and reinforced in the re- Changes to International Regulation cently updated model for internal control by These are designed to reduce the impact of COSO, internal audit is one of the pillars of possible bank insolvency and to build a more good corporate governance in credit institu- solid and transparent financial system that tions. instills confidence in its integrity, and that pro- Far from conforming to the status quo, inter- tects the consumer. These changes have a hu- nal audit must be aware of the need to keep ge impact in day-to-day business manage- evolving so that key economic players and sta- ment and also for internal audit. We should keholders increasingly consider us as a funda- not forget to mention the changes planned for mental element within organizations. the Single Supervisory Mechanism in Europe.

6 INDUSTRY OBSERVATORY

The first chapters of this document describe The last part of the document identifies the the most relevant aspects related to both challenges, underlining the growing importan- blocks. ce that will be placed on internal audit’s rela- tionship with other assurance functions and Once the changes have been analysed, the with the second line of defence, and how this document identifies trends, expectations and provides an opportunity to increase value for organizations. the impact that we expect these to have on internal audit functions. We consider that these aspects are currently very relevant and that this merits debate on These changes make up the challenges that how they will affect us. We hope that the internal audit will have to face in the short analysis carried out by the Commission is and medium term. helpful in that respect.

Executive Summary

The primary mission of internal audit is to pro- to understand that the financial environment tect and contribute to increasing the value of has changed and is still evolving and that they organizations, which can be achieved through must adapt. Internal audit needs to anticipate Our commitment to its assurance and advisory engagements. This the change, developing its structure, scope quality and efficiency role is so critical that the future of the banking and objectives. and our position as a and credit industries cannot be conceived of key function within an without internal audit as a key part of their This document does not have the objective of organization depends corporate governance, coordinating communi- setting new rules; moreso, it aims to underline on us having a cation and collaborative efforts between the the trends that are emerging in the sector. It proactive attitude to different lines of defence. should be employed as tool for reflection for change. internal audit groups. The financial crisis has instigated significant changes to credit institutions, with considera- Our commitment to quality and efficiency and ble impact on business models, and increases our position as a key function within an orga- in the compliance load coming from new re- nization depends on us having a proactive at- gulation and supervisory models. Entities need titude to change.

7 INDUSTRY OBSERVATORY

BANKING SECTOR · TRENDS IN INTERNAL AUDIT GROUPS

· Integrated audit teams. Human · Greater specialization, more training and deeper experience. Resources · Better coordination with the second line of defence.

Organizational · Direct report to Board or Audit Committee. structure · Deeper involvement in strategic processes.

Objective · Remote monitoring. and Scope · Reviews of governance structures. of Reviews · Innovative approaches.

Technical · Massive data analytics. AUDIT KEY POSITIONING OF INTERNAL Resources · Development of new IT toolstools..

With regard to HUMAN RESOURCES, the more active role in the evaluation and super- trend is moving towards integrated audit te- vision of the internal audit function. Informa- ams, greater specialization and training for re- tion requirements will increase and audit will sources, and improved coordination with the play a more significant role in governance second line of defence and the external audi- structures and the organization’s strategic tor. processes.

It is ever more desirable that audit resources This increased load of internal work, along have sufficient experience, in order to have a with requirements made by the Single Super- level of seniority comparable to that of the visory Mechanism and other regulators should executive management of the activities we be reflected in the amount of hours dedicated audit. We need to be able to question not to reporting and, over time, the amount of re- only procedural compliance but also process sources available to internal audit. design and decision-making. With regard to the APPROACH AND SCOPE The internal audit function, with greater expo- OF REVIEWS, there will be a strengthening of sure to the whole organization, should be or- the current trend of remote monitoring and ganized and report directly to the Board or auditing and this will expand into other areas Audit Committee1, that itself will also play a besides branch networks. Continuous auditing

1. Standard 1110 from the International Standards for the Professional Practice of Internal Auditing states that: The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least an- nually, the organizational independence of the internal audit activity.

8 INDUSTRY OBSERVATORY

will be employed to dynamically feed risk as- knowledge of processes and its globally inte- sessments, with frequent reviews of annual grated view of the organization. The analysis audit plans. carried out by the team underlines that the continued success of internal audit in the co- The quest for new ways of adding value will ming years depends on: lead to new and innovative approaches to re- porting, increasing audit’s advisory role, revie- a) The ability of internal auditors to find wing governance and control frameworks. equilibrium between the needs of different For this to be able to happen, ADEQUATE stakeholders, where the regulator will ha- TECHNICAL RESOURCES must be made avai- ve a far more important role than pre- Internal audit will lable. Internal audit will increasingly rely on viously. increasingly rely on the the review of the operating effectiveness of b) The implementation of new technology to review of the operating automatic controls and mass data analysis. IT maximize the efficiency and effectiveness effectiveness of tools will have to evolve accordingly. of reviews. automatic controls and Internal Audit has before it many opportuni- mass data analysis. IT c) The building of- a strategic alliance with ties to add value to credit institutions. If cu- tools will have to the second line of defence that allows in- rrent opportunities are not sufficient, then we evolve accordingly. creased coverage of assurance activities have on the horizon more opportunities ari- and increased reporting activity to the Au- sing from the work of other assurance func- dit Committee, that itself will demand tions. The Three Lines of Defence model requi- res extra effort to assure that each line works both more and better quality information efficiently. on the functioning of a credit institution’s control systems. This will require implementation of a collabo- rative work methodology for all three lines of d) The capacity to include in its audit univer- defence and the use of a common language se other aspects of the organization such that allows comparable reporting from diffe- as strategic management, governance rent lines and communication channels that structures and risk management culture. promote transparency. All this will be characterised by an increasing Internal audit can lead the implementation of pressure on resources, requiring they be effi- this methodology, adding value through its ciently deployed.

9 INDUSTRY OBSERVATORY

New Banking Business Models

A business model describes, defines and do- paradigm in order to define new management cuments the way in which an organization and client relationship models that deliver ef- creates, distributes and captures value for its ficiency and profitability under complex cir- These changes to clients, a specific market segment, or for other cumstances. business models will stakeholders. This definition refers to many oblige internal audit to more concepts other than just the P&L (for The computerization process, the digital era, respond with a example, client segments, income schemes, internet access, etc., combined with the need pre-emptive approach. resources, activities, partners, cost structures, to grow in an environment of shrinking inco- etc.) me and margins (fragile recovery, low base ra- tes, etc.) and regulatory requirements on capi- Way before the financial crisis, new banking tal and provisions means that change must business models were being debated. We ha- happen. This change, along with balance she- ve realized that the world in which we live et restructuring and the management of can be and has changed. Credit institutions NPLs, must be reflected in the banking sec- that have survived must understand this new tor’s business model. The changes that are happening (in no order of importance) are re- garding: · The regulators and supervisors. AXIS OF NEW BANKING MODELS · Efficiency and bank consolidation. · Clients. Efficiency and bank Regulators · Client education. consolidation · Distribution channels. Supervisors o Distribution · Technology. channels (including CHANNELS REGULATION · Training of personnel. online) If success for the function is to be guarante- ed, these changes to business models will Technology RESOURCES CLIENTS Client centric oblige internal audit to respond with a pre- emptive approach and therefore be able to Training of Financial produce added value for shareholders and Personnel education other stakeholders through a service that is of clients seen as positive and valuable for the organi- zation.

10 INDUSTRY OBSERVATORY

The objective of this chapter is to explain how · Uncertainty around and pressure on new these changes will affect our profession. We banking models. will begin by explaining the previously men- · Uncertainty about the robustness of ban- tioned points in greater detail. king management systems. · Weakening of banking controls. · Impact of mis-selling of financial products. These risks mean The Regulator and the Supervisor · Balance sheet transformation from business management must “The current financial crisis can alter the defi- model change. consider certain aspects nition of the optimum banking model, both in · Macroeconomic environment risk, defined when developing their the medium term, as a result of the crisis, and by the EBA as “High” and that covers: banking models for the in the long term, as a result of even deeper - The level of regulatory change. future. transformation of the business model. Up - The tightness of the schedule for this against a future that is difficult to predict, change. changes to financial regulation resulting from - The implication of this change on the de- the crisis will no doubt have a continued im- velopment of banking business. pact on banking.”2 - Continued lack of confidence in the Through increased requirements, the regulator strength of the banking industry. wishes to avoid recommitting the same errors - The lack of uniformity of regulatory chan- that led the banking sector into its current ge across jurisdictions. state, thereby driving its role in defining the - Different regulations for asset and liabi- business model of the future. lity matching.

Examples of said regulation are Basel III (gre- - Delays to the approval of a European ater requirements for the levels and quality of Banking Union. capital), Dodd Frank (deep financial reform in These risks mean management must consider the USA) or MiFID (model for the protection certain aspects when developing their ban- of customers based on increased transparency king models for the future. and better client relations). These other regu- latory measures will be subjected to a more One other aspect to consider is the Single Su- detailed analysis later on in the document. pervisory Mechanism, which also introduces fundamental change (a more dynamic appro- In the half yearly Risk Assessment of the Euro- ach to capital management and a more intru- pean Banking System, (July 2013, January sive supervisory model). Given the importance 2014, June 2014) undertaken by the Europe- of this aspect, how organisations adapt and, an Banking Authority – (EBA) risks to credit particularly, how this affects internal audit will institutions are identified. For example: be analysed further on in this document.

2. Algunas implicaciones de la crisis financiera sobre la banca minorista española. 2008. Santiago Fernández de Lis and Alfonso García Mora. Magazine “Estabilidad Financiera” nº 15. Banco de España.

11 INDUSTRY OBSERVATORY

These aspects have been highlighted in recent lets them aspire to enter market segments studies carried out on local and international previously out of reach. This will result in gre- banking by firms such as PwC (2013) and EY ater efficiency and ability to compete. (2014). EY, in its European banking Barometer, 1H14 underlines that despite the slow pace of ac- Spanish credit tual bank restructuring, 65% of entities ques- institutions still have Efficiency and Banking Consolidation tioned expect further significant consolidation opportunities to make Efficiency is a core aspect of the management in the next three years. significant cuts to their of all credit institutions. Cost control and im- costs in traditional The trend is therefore that consolidation of provement to efficiency levels will continue to areas, branch networks, the banking sector will continue in the future, be a key focus for the organisations of the fu- centralized service but will be on a pan-European scale rather ture if they are to consolidate and improve on centres and ICT than nationally. processes. the advances made in the last few years. This consolidation process will have profound Spanish credit institutions still have opportu- impact on internal audit. On one hand, due nities to make significant cuts to their costs in diligence needs to be addressed prior to each traditional areas, branch networks, centralized corporate operation. On the other hand, once service centres and ICT processes. consolidated, the final entity may find consi- With regard to branch networks, Spain has re- derable divergence in aspects such as risk duced the number of branches by 26% since management culture, IT systems, products, the beginning of the crisis and will continue etc. This will inevitably make internal audit’s to do so3. Spain is still the European country review process more complicated in the first with the highest ratio of branches per inhabi- few years. tant, but because of the growth of alternative channels (internet and mobile) a traditional branch network is becoming less and less im- Client Centric portant. “Financial institutions must adopt business In order to survive in the market given the models that put the client, and not the pro- magnitude of change, many entities may opt duct in the centre of their organization” 4 for different strategies, either voluntarily or by the supervisor’s suggestion. One of these stra- In the recent past, the financial sector gave tegies is the merger with other entities to give more importance to the product over the the merged entity a critical mass that enables client. In the new banking paradigm, the new product development, cost efficiency and client must be the centre of attention (rela-

3. Boletín Estadístico of Bank of Spain, March 2014, at the end of 2007 there were 45.500 bank branches in Spain and only 33.713 at the end of 2013.

4. in 2020. Evolution or Revolution. 2014 PwC.

12 INDUSTRY OBSERVATORY

tionship banking). It is critical to be able to should be looking at how to make personali- understand their needs and what are the best zed proposals to clients. communication channels, to give personalized attention, to use new and innovative techno- logies, to understand the value of each client and to use sustainability and corporate res- Financial knowledge of clients and ponsibility principles to manage the relations- training of bank staff hip. The Estudios Financieros Foundation7 has re- “Regulatory change has created the need for cently published a study that covers the need a more flexible approach to financial busi- for financial education. ness. More flexibility in client relations, multi- functionality and diversity are necessary to be Mr Antonio Romero, Inés García Pinto and able to offer a more varied range of products Nerea Vázquez state in the report: Putting customer to the public.” 5 “Since the beginning of the crisis, financial service at the centre of In this manner, Customer Relationship Mana- education has been recognized as a vital skill their strategy, these gement studies should be transformed in or- and a key element for stability and financial emerging competitors der to realize the required changes. and economic development. As stated by the are more agile and can Financial Consumer Agency of Canada roll out new tools and Technology will be key to these new client re- (FCAC), low levels of financial literacy are a services more quickly, lationship channels. Banks that offer all servi- real obstacle for economic growth...from ano- and these will soon ces are running the risk of being overtaken by ther perspective, there has been much analy- become the industry competitors who are focused on digital tech- sis, including a document published in March standard. nology. Putting customer service at the centre 2011 by the European Commission that of their strategy, these emerging competitors points to the role that low levels of financial are more agile and can roll out new tools and literacy have had in magnifying the impact of services more quickly, and these will soon be- crisis. Aside from the exact perspective taken come the industry standard. 6 for each study, all coincide in the prevailing Value proposals will have the client and client need to promote financial literacy.” service at their heart, and not the product. Some improvements to clients’ financial lite- The trend will be to monitor client experience, racy is occurring, but it is still highly advisable as happens in other industries. from all points of view, including the defence Advisory services should be limited, to make of credit institutions’ own proprietary activi- sure the advice is adequate, and CRM studies ties.

5. El aula del accionista. Caixabank.

6. Accenture 2013 US Retail Banking Survey.

7. Document 52. Nuevos desafíos del sector financiero: Recuperando la confianza y mejorando la cultura financiera, capí- tulo VII. 2014. Fundación de Estudios Financieros.

13 INDUSTRY OBSERVATORY

It is clear that for the proper management of Distribution Channels increasingly more financially knowledgeable customers, even in environments of full trans- Channels are the tool used by the credit insti- parency and protection, it is still absolutely tution to communicate with its customers, dif- necessary that client relations are carried out ferent market segments and stakeholders to by staff with a similar level of knowledge and deliver its value proposition. understanding of the products and services Both client and Communication, distribution and sales chan- that are being sold. At this point it is not ne- employee education are nels are what join us to clients. These chan- cessary for us to analyse the malpractice that inherently linked. In our nels are points of contact that play a major has plagued the Spanish banking sector, nor opinion, they run role in the client’s experience. Therefore, in or- the consequences this has had on the confi- parallel in time and are dence placed in it. der to understand how technology will chan- a key factor in ge this and which traditional channels will recovering trust in the So, are bank employees prepared to meet this survive, we must analyse client channels, as- system. challenge? pects of how they can be integrated, their ef- ficiency and their profitability. Without a doubt, their knowledge and skills must be brought up to speed and aligned In a recent study by Accenture on commercial with the new post-crisis, regulation-heavy bu- banking in the USA, it is revealed that more siness models. Distribution channels will be than 70% of customers think that credit insti- modified and the new model will gravitate to- tutions should invest in remote communica- wards the client; that will require knowing the tion channels and related technology. clients and understanding their needs. Spa- nish banks are going to have to undertake an To summarize, client relationship strategy will important change management process to inevitably involve channel integration and the implement this. recognition that the bank must provide the client with channel options that best suit their Both client and employee education are inhe- rently linked. In our opinion, they run parallel needs. in time and are a key factor in recovering trust in the system.

Finally, and to close out this section, a quote La tecnología from Santiago Fernández and Alfonso Garcia Being able to understand the importance of from their study of the impact of the crisis, “the change in the demographic pyramid we technology in the new world of banking (un- have witnessed in recent years, and above all, derstood as the resource to support intensive the future trend, will require greater speciali- use of information, of knowledge obtained zation, not only in terms of products and ser- from operations and internet access, etc., ba- vices but also in customer management”8 sed on simplicity and agility).

8. Algunas implicaciones de la crisis financiera sobre la banca minorista española. 2008. Santiago Fernández de Lis y Al- fonso García Mora. Revista “Estabilidad Financiera” nº 15. Banco de España.

14 INDUSTRY OBSERVATORY

Opinions on this aspect are conclusive. Appro- the future will see it being employed to im- ximately 40% of IT budgets in larger organi- prove customer experience. This will mean IT zations are for projects to improve customer security becomes an ever more important is- experience making them agile and efficient at sue in remote banking. In the European Ban- a minimum cost. On the other hand, security king Barometer 1H14 published by EY, cyber is a key issue. (Source: Accenture, 2013) security/data security is number 3 on the list As we mentioned above, technology was pre- of most important issues of European banking Technology was viously employed to improve efficiency but institutions. previously employed to improve efficiency but the future will see it Where do consumers think banks should invest? being employed to Online banking 43% improve customer experience. Branches 38%

ATM‘s 21%

Mobile banking 20%

Call centres 12%

Social networks 7% Digital Traditional

Source: Accenture 2013 US Retail Banking Survey

15 INDUSTRY OBSERVATORY

Changes to Regulation and Supervision The European Union has revised its policies In this chapter, we will first endeavour to des- chanism. We will finish with a brief listing of related to banking cribe the regulatory changes that are affecting global regulation that directly impacts internal regulation and the banking sector as a whole. Secondly, we audit. supervision with the will refer to the new Single Supervisory Me- objective of building a strong, robust and transparent financial REFORM OF THE EUROPEAN BANKING SECTOR – NEW REGULATORY FRA- system. MEWORK From the beginning of the financial crisis, the to banking regulation and supervision with European Union has revised its policies related the objective of building a strong, robust and

Mandatory separation of proprietary trading and other high-risk trading. Additional separation of activities, conditional on the recovery and resolution plan. Amendments to the use of bail-in instruments as a resolution tool. Toughening of capital requirements on trading assets and real estate related loans (i.e. mortgages), aka fractional reserve LIIKANEN banking. REPORT Strengthening bank governance and control of banks, Global regulatory convergence. including measures to rein in or bail-in bonuses. Uniformity on the definition and quality of capital. BASEL III Liquidity and leverage requirements.

EMIR Greater transparency in OTC markets. REGULATION

Regain the confidence of investors and protect DODD FRANK ACT customers.

COMERCIALIZATION MiFID Customer protection.

Importance of conduct risk (Financial Conduct REMUNERATION Authority, UK).

REFORM OF THE EUROPEAN BANKING SECTOR

16 INDUSTRY OBSERVATORY

transparent financial system that looks after an adequate layer of reserve provisions the needs of the population, of the economy (bailinable debt). These provisions should be and of the market. kept separate from the banking system and would therefore decrease the incentive for Informe Liikanen risk-taking.

With a view to investigating whether the Eu- · Review of capital requirements for com- ropean banking sector was in need of structu- mercial and mortgage assets: the report ral reform, the European Commission commis- proposed implementing more solid and co- sioned a report, the Liikanen Report, to a herent risk weightings for measuring mini- group of experts chaired by Erkki Liikanen, mum capital standard requirements. Governor of the Bank of Finland. The report · Greater levels of control and supervision: counted on the collaboration of many direc- in this sense, the report proposed a series of tors, clients and investors from different ban- king groups as well as reknowned academic measures to strengthen control in credit ins- experts on banking. titutions: - Governance and Control Mechanisms: The report concluded that the banking model greater attention should be paid to go- failed during the crisis. The study revealed ex- vernance and control in all banks, espe- cessive risk-taking by institutions and excessi- cially at the Board level in the largest and ve dependence on short-term financing. This most complex entities. level of risk-taking was not adequately backed - Risk Management: strengthening control up by capital, and the high interdependency inside banks and building a risk aware between entities created extremely high levels culture at all levels of the financial insti- of systemic risk. tutions, legislators and supervisors by In order to increase and compliment the set of applying the Capital Requirement Directi- reforms, the European Union, the Basel Com- ves III and IV. mittee on Banking Supervision and the natio- - Bonus Schemes: in order to recover the nal governments of the Union set out a series levels of confidence between the general of proposals included in the report: public and bankers, the report proposed · Separation of traditional banking activi- that remuneration schemes be reformed ties from other more high-risk commercial so that they were proportional to sustai- activities. nable long term results (we will revisit this topic further on) · Contingency Planning: the report underli- - Risk Reporting: to further the recovery of ned the need for credit institutions to deve- confidence with the public and investors, lop and maintain realistic contingency and reinforce market discipline, require- plans. ments on public disclosure of risk were · Reserve holdings to cover losses: the re- modified to improve quality, comparabi- port underlined the need for banks to build lity and transparency.

17 INDUSTRY OBSERVATORY

- Sanctioning: supervisors should sanction large part of the entity´s business (com- those entities that do not comply with plex securitized assets, derivatives, OTC the proposed measures. etc.) Therefore, as recommended by the Lii- The new rules dictate kanen Report, the Commission has made it that the authorities NEW REFORMS IN 2013 mandatory to separate high risk activities must intervene from traditional banking (deposits and gua- On the back of the Liikanen Report and based proactively before rantees). Other high risk commercial activi- on existing regulation of member states, the entities begin to ties must also be held separate if they thre- European Union has developed a series of ad- experience financial aten the bank’s financial stability. ditional rules for banking, taking into account problems. worldwide agreed-upon principles for finan- cial stability and on other nation’s regulatory 2014 STRUCTURAL REFORM FOR LARGE development. This covers: DIMENSIONED BANKS

· New rules on capital requirements. During Additionally, in January 2014, the European the financial crisis, many countries had to Commission proposed a new set of rules on look to the state’s coffers in order save structural reform of the EU’s larger and more many in their banking sector. This highligh- complex banks. As stated by the Commissio- ted the deficient regulation and supervision ner for Internal Market and Services, Michael of the system. Therefore, new rules have Barnier, this reform constitutes the final piece been issued to increase the EU banking of legislation for the regulatory overhaul of sector´s resilience to future economic cri- the European banking system. The structural ses, and therefore guarantee that banks reform comprises the following aspects: continue to finance economic activity and growth. · Prohibits proprietary trading of certain fi- nancial instruments and commodities due · New rules on the recovery and resolution to the inherent risks. of banks. The new rules dictate that the authorities must intervene proactively befo- · Attributes to supervisors the power in cer- re entities begin to experience financial tain situations to oblige entities to legally problems. If, even after intervention, the fi- separate high risk activities, transferring nancial situation of a bank were to deterio- them to legally separate entities. rate more than was acceptable, sharehol- · Establishes norms regarding the economic, ders and creditors must take the initial loss and, if further resources were needed, the- legal, operational and governance rela- se could be obtained from the deposit gua- tionships between the separated entity and rantee scheme, which would cover 1% of the rest of the bank. deposits over 10 years. The impact of these measures will become · Mandatory separation of traditional acti- clearer in future years, but according to the vities from proprietary trading and other European Commission, the benefits can be high-risk trading. Some activities bring measured at between 75 billion and 140 bi- with them higher risks if they represent a llion euros per year, which represents around

18 INDUSTRY OBSERVATORY

0,6 and 1,1% of European GDP, due to redu- all confirmations should be done using this ced costs of potential future financial crises. standard.

· Conciliation and disclosure of information using SWIFT Accord: The best practice di- European Market Infrastructure Regu- rectives issued by the International Swaps lation (EMIR) for the Financial Sector and Derivatives Association recommend that the clearing process should involve Apart from the reform of the previously men- both parties using electronic to electronic tioned reforms of the European Banking in- communication, either in-house or third dustry, the sector is also affected by OTC mar- party. This electronic confirmation process kets regulation known as EMIR (European automates clearing and is the most reliable Market Infrastructure Regulation), that came and efficient method for confirmation, whi- into effect in the last quarter of 2012 and af- le mitigating risk in the process. fects all entities that deal in non-exchange traded instruments. The primary objective of this regulation is to deliver greater levels of transparency to financial markets, and help Dodd Frank Act in the United States entities evaluate risks. This comes via a set of As we have mentioned, the European Ban- obligations: king sector is being submitted to ever greater · Trade Registration: all parties of an OTC regulation and supervision so that its con- trade should disclose a set of identifying ducts its business in more responsible and transparent manner. Nonetheless, the EU is data for the trade to be registered, and this not the only one tightening its regulatory grip. data will be made available to the Europe- In the United States, there has also been a se- an Securities Market Authority (ESMA) and ries of measures, including the Dodd-Frank other authorities. Act of 11 July 2010. · Required Information: EMIR requires that This law promotes deep financial reform, co- trades be confirmed in a maximum time vering all aspects of banking after the worst The EU is not the only frame that varies depending on the charac- financial crisis since the Great Depression. The one tightening its teristics of the operation. The confirmation law’s primary objective is the restoration of regulatory grip. In the details the clauses of the contract and re- investor confidence and strengthening of cus- United States, there has quires a bidirectional process for both par- tomer protection in the financial markets. The also been a series of ties to reach an agreement. main aspects of the law are: measures, including the Dodd-Frank Act of 11 9 · SWIFT Confirmations: SWIFT messaging is · Strengthening of investor protection: gre- July 2010. the industry standard for confirmation of ater accountability, consistency and trans- bilateral trades using OTC derivatives, and parency.

9. SWIFT Society for Worldwide Interbank Financial Telecommunication.

19 INDUSTRY OBSERVATORY

· Systemic risk: increased levels of supervi- period for full implementation that runs from sion and regulation of financial institutions. the 1st of January, 2013 to the 1st of January, 2019. · Global financial markets supervision: bet- ter supervision in securities assets, derivati- The global scandals ves and ratings agencies. have provoked a INVESTOR PROTECTION regulatory tightening · Other mechanisms for preventing finan- with a spotlight centred cial crisis: avoiding repeating “Too big to The global scandals have provoked a regula- on client protection. fail” situations. tory tightening with a spotlight centred on client protection. The most significant initiati- · Increased international regulatory stan- dards and better global cooperation. ve in this sense is the Market in Financial Ins- truments Directive (MiFID) and the ever-incre- asing importance of conduct risk.

New Global Regulatory Framework In 2004, the European Unión adopted MiFID I in order to strengthen the regulatory frame- In order to bring in more global regulatory work around investment services and regula- convergence, the Basel III regulatory frame- ted markets. Through protection of investors work has been developed. This third Basel Ac- and the preservation of market integrity it ai- cord is developed as a response to certain de- med to promote equity, transparency and the ficiencies in banking regulation and looks to develop greater uniformity in defining mini- integration of financial markets. mum capital buffers. With respect to Basel II, In 2014, after 2008‘s financial crash, the Eu- it demands greater levels of equity and reser- ropean Union adopted MiFID II to replace Mi- ves, and a better quality of capital and credit FID I. Its objective was to develop a new fi- portfolios. nancial practice framework, making financial The main measures of the third Basel Accord markets even more efficient and transparent, are: and therefore strengthening further measures · Better capture of risks associated to certain of investor protection. This directive regulates, exposures. above all, new requirements for information · Increase in capital requirements. and registry of operations (EMIR). · Increase in the quality of capital required. Sovereign legislators have adapted the direc- · Reserve provision requirements. tive to their national markets. Spain passed · Introduction of leverage ratios. the directive into national legislation in two · Better risk management, better supervision laws: Law 47/2007 that reformed the Law and more market discipline. 28/1988 on Capital Markets, and the Royal · Introduction of liquidity requirements. Decree 217/2008 that defined the legal sta- These measures significantly tighten banking tus of entities offering diverse investment ser- regulation, and therefore there is a transition vices.

20 INDUSTRY OBSERVATORY

In order for investors to be treated equitably, · Post-trade transparency: Systematic inter- the Law 47/2007 set down certain obliga- nalizers must publicly disclose the volume tions around pre- and post-deal transparency. and prices of equity transactions carried out in regulated markets. This means secondary markets are obliged to disclose, prior to the deal, the bid and offer Therefore the tendency, both at European and prices and bid and offer volumes being quo- Sovereign state level is for greater transpa- ted on their systems. They must therefore also rency of financial markets, so that investors publish the price and volume of executed tra- can be better protected, and that markets can des. be more efficient and equitable.

10 In the case of multilateral trading facilities Conduct risk can be there are certain transparency requirements IMPORTANCE OF CONDUCT RISK defined as the risk that similar to official exchanges. results from the Conduct risk can be defined as the risk that conduct involved in the In the case of systematic internalizers11, they results from the conduct involved in the deci- decision-making will also have to comply with obligations for sion-making process at each stage of the pro- process at each stage pre- and post-trade transparency. duct cycle and that could lead to customer of the product cycle detriment. · Pre-trade transparency. Systematic inter- and that could lead to nalizers should publicly disclose the bid – The significance of this risk is increasing expo- customer detriment. offer quotes when customer orders are for nentially. For example, in the UK, the previous exchange quoted equities in a liquid market supervisor, the Authority and when orders are equal to or smaller (FSA), was split into two separate bodies. One than the standard size order for that class of those, the Financial Conduct Authority of asset. (FCA)12 has, as its name indicates, a specific mandate over this risk. Other countries are al- When dealing in non-liquid equities, syste- so reinforcing their supervision of conduct matic internalizers should only disclose the risk. quotes on the customer’s request. In June 2014, the Bank of Spain announced On the contrary, on larger than standard or- the creation of the new Conduct Supervisory ders for liquid equities, systematic internali- Division, which compliments the creation in zers have no obligation to disclose their 2013 of the Department for Market Conduct quotes. and Claims. According to the supervisor:

10. A multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract.

11. Traditionally called market makers, are investment firms who could match “buy” and “sell” orders from clients in-hou- se, or match them with other orders on its own book.

12. The other supervisory body resulting from the split is the Prudential Regulation Authority (PRA).

21 INDUSTRY OBSERVATORY

“Our new approach is intended as an answer · Count on sufficient push from senior mana- to the increased relevance and social impact gement in order to make the change with of bank-client relations, and this is a key as- adequate tone and commitment at the top. pect of the normal functioning of the banking Culture change within · Build conduct risk into enterprise risk ma- services market and is therefore in need of firms is essential if we nagement models and align it with the en- preferential attention from international regu- are to restore trust and tity’s risk appetite. latory and supervisory bodies.”13 integrity to the · Have adequate systems and controls. financial sector. The greater importance attributed to conduct · Have employees with the necessary kno- risk is no more than a natural response from wledge, skills and professional judgement. supervisors and regulators to the malpractice many banks dispensed to their clients during the financial crisis, as these banks were pro- duct-sales focused and not client-need focu- Remuneration related legislation sed. Changing this is a significant cultural Last but not least, the international organiza- change. tions identified that many credit institution‘s “Culture change within firms is essential if we remuneration policies led to non-prudent risk are to restore trust and integrity to the finan- management, and were in some cases causes cial sector and the FCA will continue to focus of the financial crisis. on how firms are managed and structured so that every decision they make is in the best The European Union was the first to underta- interests of their customers.” 14 ke this matter in this respect, mandating the Committee of European Banking Supervisors The FCA will be able to review management (whose responsibilities were later assumed by decisions, in some cases even before those the EBA), to develop a set of directives on re- decisions have become effective. These re- muneration policy. On the 10 December views, for example, may cause the prohibition 2010, the EBA published its Guideline on Re- of a product before its launch. The supervisor is treating this risk with an anticipatory ap- muneration Policy that was later passed into 15 proach, and it seems that this approach will Spanish legislation . not be exclusive to Anglo-Saxon jurisdictions Even though Spanish Commercial Banking in the near future. models have historically been more prudent In order to comply with current and future re- than Anglo-Saxon banking models, insofar as quirements around conduct risk, entities will bonus pay has traditionally been less signifi- need to: cant compared to total remuneration, our en-

13. Obtained from a Bank of Spain press release, 6th June, 2014.

14. Financial Conduct Authority, Risk Outlook 2013

15. Royal Decree 771/2011 of the 3rd June and Bank of Spain Circular 4/2011.

22 INDUSTRY OBSERVATORY

tities have also had to adjust to this legisla- verifying that adequate controls are imple- tion. This includes aspects related to: mented to comply with the new regulatory environment. Internal audit will be indispen- · Corporate Governance (Mandatory remune- sable to promote the efficiency and effective- ration committees). ness of financial operations and to evaluate · Deferral of some variable packages for so- risk management and control systems. me groups of employees. In order to comply, the internal auditor should · Bonus payments in the form of capital ins- take into account not only the previously truments. mentioned reforms, but also other regulation The internal auditor · Restrictions on bonus payments in entities specific to internal audit, such as the “Supple- should take into that received state aid. mentary Policy Statement on the Internal Au- account not only the dit function and its Outsourcing” (SR 13 is- previously mentioned The conclusions reached by PwC in its report, sued by the Federal Reserve of the United reforms, but also other “Remuneration in Spanish Credit Institutions States), or “The Internal Audit Function in regulation specific to – Regulation and Trends from a Survey of 13 Banks” and “Guidelines- Corporate Gover- internal audit. Entities,” are interesting. nance Principles for Banks” issued by the Ba- · The majority of those surveyed said they sel Committee for banking Supervision. clearly understood the implications of defe- Internal audit should also consider best prac- rring remuneration and linking that to risk. tice from its own profession, such as the “Re- However, there was misunderstanding as to commendations from the Committee on Inter- the formulas employed to calculate pay ra- nal Audit – Guidance for Financial Services” tes in capital instruments. issued by the Chartered Institute of Internal · 69% of entities extended the reach of the- Auditor of the UK. We will later analyse these se measures more than they were obliged documents in more depth. to. · In 93% of cases, bonus payments represen- ted less than 50% of total remuneration. · 38% of respondants were unaware of the change and 50% were aware of only some aspects. Only 12% were fully aware of where the trends for remuneration are Verify Controls going. THE ROLE OF INTERNAL AUDIT

The Role of Internal Audit Evaluate management systems and risk control Promote efficient Given all that we have previously noted and and effective the ever-tighter regulation and supervision of operations banking, internal audit will play a crucial role,

23 INDUSTRY OBSERVATORY

ADAPTING TO THE SINGLE SUPERVISORY MECHANISM

The Bank of Spain has stated “In June 2012, accountability and obligations, a conflicts of The supervisor will the heads of European states or governments interest policy, and appointments, audit evaluate the work of decided to promote the creation of a single committees and compliance functions. the internal audit bank supervisor in order to improve the qua- · Entities will have to invest in human resour- function and will lity of supervision in the Eurozone, thus pro- ces and technology, as the supervisor´s determine if it can rely moting market integration and breaking the continuous monitoring means that each on the identified areas negative link that was created between trust bank will have to create a dedicated and of potential risk. in banks and doubts about the sustainability dynamic solvency function. Internal audit of public debt. The Single Supervisory Mecha- will also require more resources, and will nism (SSM) is the first step towards Banking give more weight to risk assessment than Union that will be completed with the crea- control evaluation. tion of a Single Resolution Mechanism and a Single Deposit Guarantee Scheme”16. · Entities will have to adapt to a supervisory model that is operational, preventive and The SSM naturally evolved from the scheme strategic, and that relies more on dynamic devised to build European banking, where na- reviews of internal control, governance and tional supervisors, like the Bank of Spain, will solvency than reviews of accounts and fi- still have a significant role given the knowled- nancial statements. ge they possess. However, this integration me- ans change will be needed in the relationship In its consultative document, The Core Princi- between the entities and the supervisor, and ples for Banking Supervision, the Basel Com- this directly and indirectly affects internal au- mittee on Banking Supervision (BCBS), dedi- dit. cates a specific principal exclusively to inter- nal audit, and other important points: Listed next are some of the changes that will affect entities as a result of the banking union · Principle 26: Internal Audit and Control: the that will also have an impact on internal au- supervisor determines that banks have ade- dit: quate internal controls to establish and maintain a properly controlled operating · Entities will have to reorganize internally, environment for the conduct of their busi- and their Boards will have to sign off on a ness, taking into account their risk profile. clear risk appetite framework, which will in- These controls include, in addition to clude a capital planning policy, a risk mana- others, an independent internal audit func- gement and control policy and also a policy tion. on internal audit. The way entities approach transparency in their corporate structure · The supervisor will evaluate the work of the will have to be reviewed, along with board internal audit function and will determine if

16. http://www.bde.es/bde/es/areas/supervision/El_Mecanismo_Un_565aad4a9a47241.html

24 INDUSTRY OBSERVATORY

EUROPEAN BANKING UNION

The Origins of the Project: The Vicious Circle of Sovereign and Bank Solvency Components of the Banking Union

Sovereigngn Single solvencycyy Sovereign and Supervisor bankbank solvencys ratingsrat Deposit Single Banking Guarantee rulebook UnionUnion Scheme

Single Bank MarketM access solvencyy Resolution anda financing Mechanism costs

it can rely on the identified areas of poten- . It is probable the Supervisor will delegate tial risk. supervisory activities more frequently to in- ternal audit. This would mean more hours Internal audit is a key · The supervisor will also verify that the risk for internal audit. function for the Single management function is subject to reviews Supervisor, but if it is to by the internal audit function. There are also a number of activities, that al- develop the role, it though not mandatory, do constitute best needs to be · Well-developed public infrastructure should practice and that will be favourably viewed by strengthened. include internal audit systems; if these are the Supervisor: not included, financial markets and systems can become unstable and hamper improve- · Given the emphasis the supervisor is put- ment. ting on certain processes, such as capital planning and its integration with manage- As you can see, internal audit is a key function ment processes, internal audit should not li- for the Single Supervisor, but if it is to develop mit itself to providing assurance over data the role, it needs to be strengthened. Some of quality, but should look more deeply into the potential areas of improvement are: such processes.

. Align internal audit plans with those of the · The Board should be more implicated in objectives and priorities of the Single Super- process reviews, and therefore internal au- visor. dit should assure that the Board receives all the necessary information. . Assure that internal audit has the technical ability required to review the new supervi- · Internal audit should provide assurance on sed processes. the coherence of different strategic proces-

25 INDUSTRY OBSERVATORY

ses (strategic planning, business planning, for the ECB to take up its supervisory role ha- capital planning, finance planning and re- ve been pushed back from March to Novem- covery planning). ber 2014, meaning constant revision of dea- dlines (decision making processes, supervisory · Internal Audit should assure that the risk appetite framework is correctly embedded schedule, logistics, hiring of personnel, team into the organization’s processes. building and joint supervision).

The ECB will attempt to satisfy legitimate ex- pectations about its accountability and trans- : NEXT parency in line with the Inter-Institutional Ac- STAGES AND CHALLENGES FOR THE cord and Memorandum of Understanding, SINGLE SUPERVISORY MECHANISM being totally dedicated to the undertaking of its responsibilities. One of the main challenges that the ECB has had to meet is the extended scope and cha- Because the lack of personnel at the ECB may racter of its new functions. Additionally, the ti- make it difficult for them to carry out their meframe for getting the SSM operational is mandate effectively, it is probable that they very tight, much tighter, in fact, than the time will have to rely on the internal audit func- given to set up the ECB and Single Monetary tions of the supervised entities, and therefore Policy. it is critical that the capacity and independen- Another added difficulty is the modifications ce of internal audit functions be strengthe- It is critical that the capacity and made to the schedule. The dates pencilled in ned. independence of internal audit functions be strengthened.

SPECIFIC REGULATION AFFECTING INTERNAL AUDIT

Up to now this document has covered the moment in its consultation phase), both is- great changes that have been forced on the sued by the Basel Committee on Banking Su- banking sector as a whole. However we pervision; Supplemental policy statement on should also look more closely at those that the internal audit function and its outsour- are aimed at or directly affect internal audit. cing, from the Federal Reserve, January 2013; and Effective internal audit in the financial We are referring to rules, regulations, stan- services sector, from the Chartered Institute of dards and best practice issued by prestigious Internal Auditors (UK), July 2013. international bodies, of which we want to highlight The Internal Audit Function in One may be inclined to think that internatio- Banks, of June 2012 and Guidelines-Corpora- nal regulatory trends would only be of impor- te Governance Principles for Banks (at the tance to entities with foreign operations. This,

26 INDUSTRY OBSERVATORY

however, is not correct, given the global regu- EMPHASIS OF THE NORMATIVE latory convergence being seen in the sector. In INTERNATIONAL TRENDS the medium and long term, the principles set down and actions taken by the more active Independence of the Internal Audit regulators, primarily the Anglo-Saxon ones, Function will have a pervasive influence on other coun- tries, and therefore these trends are important Appropriate Tone at the Top for local credit institutions.

As is only logical, new rules and regulations are following and extend on the guidelines Continuous Audits set out by the International Professional Prac- tices Framework. Root Cause Analysis, Lessons learnt, Post Mortem It is worth mentioning the emphasis these do- cuments have on: Extended and reinforced audit Governance structures, defining the in- universe ternal audit’s place in the organization’s structure. Key aspects to be considered are the adequacy of the Internal Audit Charter, Continuous risk assessment as part of adherence to the International Standards and a dynamic planning process. The docu- of course the quality of the relationship with ments promote continuous audits as part of the Audit Committee and the Board. the risk assessment process, as well as sup- port for adjusting audit plans and universes. These are indispensable elements that gua- Internal audit’s added rantee the independence of the function wi- Internal audit’s added value in organi- value in organizations thin the organization. For organizations with zations should not be based exclusively should not be based overseas affiliates or branches, the regulators on uncovering the consequences and effects exclusively on insist that local audit directors have sufficient of weaknesses. What is of more relevance and uncovering the seniority, and that this should be comparable value to the organization is the identification consequences and to the executive management of the activities of root causes (root cause analysis, lessons le- effects of weaknesses. they audit. arnt, and post mortems).

The ability of internal audit to question It is clear that lessons learnt should not be li- executive management’s decisions. Inter- mited to those in-house. Understanding the nal audit should be able to push management causes of financial scandals will help organi- to improve the effectiveness of governance, zations identify weaknesses and improve their risk management and internal control. own internal controls.

It is necessary that the Board and its Commit- The regulators point to some significant tees establish an adequate “Tone at the Top” aspects to include in the audit universe: that supports and promotes the acceptance of Some are truly new, whilst others suggest internal audit at all organizational levels. that internal audit should place more empha-

27 INDUSTRY OBSERVATORY

sis on aspects that were already being consi- the business and that stress tests are ca- dered. We want to highlight: rried out.

· The governance structure for all significant · Environmental legislation. lines of business and at all levels. This inclu- Adding these risks to the audit universe, or des a review of the adequacy and effective- reinforcing the depth of the audit will require ness of risk responses. auditors to have new and more complex skills · The risk and control culture, (Tone at the and therefore training. Internal audit may ha- Top). ve to rely on external support to cover any gaps in its skill set. · The information reported to the Board and Executive Management for strategic and These documents highlight the need and des- ire of supervisors to rely on organization’s in- operational decision-making, reviewed for ternal audit functions, and that they should assurance that it truly aligns with the busi- have an open, constructive and cooperative ness model and strategy. bilateral relationship. This will allow relevant · The adherence to the risk appetite, asses- information to be exchanged so that both sing whether it is being considered in the parties may correctly and efficiently deliver on organization’s activities, limits and repor- their responsibilities. ting processes. The supervisors will have the power to review · Conduct and reputational risk. Internal au- the reliability of internal audit functions. This dit must evaluate the integrity of the orga- has a pervasive effect on the supervisor’s view nization in its client relationships, to ensure of the entity’s risk profile, and will allow them Adding these risks to that it offers clients products that are in li- to decide if they can rely on internal audit’s the audit universe, or work. ne with their needs. reinforcing the depth of However, internal audit’s relation with the su- the audit will require · Capital and liquidity management. auditors to have new pervisor is not the only one to become more and more complex · Strategic risk, as this is most often seen as important. The relationship with other assu- skills and therefore the cause of shareholder value destruction. rance providers, both external (external audi- training. tors) and internal (second line of defence) al- · Emerging risks: Large corporate operations, so grow in importance. new product launches and design, inves- tment project management, M&A, outsour- The sum of all these aspects combine to make cing etc. up a big new challenge for our profession, and also represent a significant opportunity · Cyber security risks: Increasingly important for us to strengthen our position. given the trend of new electronic channels (internet, mobile banking etc.). Further on, when we analyse the impact and trends for the profession, we will return to · Business continuity planning and disaster many of these aspects that are critical for the recovery, assuring these are aligned with future shape of internal audit.

28 INDUSTRY OBSERVATORY

Trend Analysis, Prospects and Impact

In previous chapters we have talked about Each of these transformational aspects, or the changes that are happening in regulation trends, have been classified in the following categories: and to the banking model, and we have loo- ked briefly at how these will impact on inter- - Human Resources. nal audit. - Organizational structure of internal audit departments.

It is now time for us to go into more depth - Approach, scope and the organizations of External demands on and analyse the key transformational aspects audits. internal audit and we expect to see for internal audit. Our con- - Resources and technical requirements. internal demands will clusions are based on a survey of CAEs of oblige internal audit The analysis of each of these trends has been executives to look for Spanish Financial Institutions carried out by summarized in trend and prospect tables in greater efficiency in all the Spanish Institute of Internal Auditors. the appendix of this document. aspects of their work in order to accomplish their objectives. TRENDS THAT IMPACT ON THE HUMAN RESOURCE STRUCTURE OF INTERNAL AUDIT DEPARTMENTS

In the 2014 study, the State of the Profession, to increase the efficiency of its work. External chartered by the Spanish Institute of Internal demands on internal audit (regulatory and su- Auditors, 26% of the 50 respondent organi- pervisory requirements) and internal demands zations reported that their internal audit de- will oblige internal audit executives to look partments had less auditors than the previous for greater efficiency in all aspects of their year, (14% in 2013). Additionally, 26,5% said work in order to accomplish their objectives. that the budget assigned to internal audit had shrunk, (16% in 2013). However, we are Some areas where we might expect to find of the opinion that internal audit groups in these efficiency gains are: Spanish credit institutions will remain stable Improvements to the audit process or increase slightly in the short and medium · Greater emphasis on audit planning. This term. phase of work is key as it forms the basis Along with what we see as a positive trend in for fieldwork. Risk and auditable control terms of resources, we expect internal audit mapping, process owner interviews and

29 INDUSTRY OBSERVATORY

programme design are all key aspects of tor, often referred to as the fourth line of de- planning. This ends with communicating in- fence. ternal audit scope and objectives to mana- For this to be achieved, we need to adopt a gement. We need to adopt a holistic view of who the assurance providers · Centring audits on critical risks and key holistic view of who the are and promote coordination between them. controls. As a result of better planning and assurance providers are The 2013 document published by the Spanish better knowledge of processes, internal au- and promote IIA’s Think Tank, A Framework for Internal Au- dit work should be focused on key risks and coordination between dit’s Relationship with other Assurance Func- controls. them. tions, highlights that coordinating assurance · Use of statistical techniques to select sam- activities will provide for more efficient use of ples can lead to time gains and increases resources and improved efficiency for internal the representativeness of the sample with audit. respect to the population, and it will there- fore not be necessary to undertake additio- These efficiency gains provide a positive take nal testing to confirm findings. on the three lines of defence model. We belie- · Use of mass data analysis techniques can ve that the model will tend to see a streng- enable internal audit to extend its scope, thening of the role of the second line of de- quantify findings and better understand fence as they take on additional responsibili- risks. This is an area that still has plenty of ties in their organization’s control environ- scope for growth, as was pointed out by ment. Investment in training teams and sys- PwC in their 2013 study on the State of In- tems will therefore be a key aspect. ternal Audit. According to this study only This could also be an opportunity for rotating 31% of respondents said they used advan- internal audit teams in the organization, as ced data analysis techniques. departments such as risk management and internal control maybe seen as a natural pro- Eliminating duplicity and improving coordi- gression for internal auditors. nation with the second line of defence and the external auditors. Providing assurance over the design and ef- 71% of CAEs that responded to the survey fectiveness of the second line of defence. confirmed that the three lines of defence mo- Apart from the coordination tasks described del was implemented in their organizations. previously, we must not forget that internal However, there remain opportunities for im- audit is the only function capable of providing provement that will make it possible to incre- independent assurance. So, on top of the ase its effectiveness. strengthening of the second line of defence, Obviously it is extremely complicated for inter- internal audit should include in its audit plan- nal audit to cover all the risks in an organiza- ning, reviews that provide independent assu- tion, without relying on the assurance provi- rance over the design and effectiveness of the ded by the second line of defence and other components of the second line. As internal assurance providers such as the external audi- audit increases its reliance on second line

30 INDUSTRY OBSERVATORY

controls, more equilibrium can be given to ked up by the 2014 Study on the Banking first line reviews. Sector commissioned by the Spanish IIA, in which 62% of CAEs reported that training Greater specialization will be required hours will increase and nearly 85% reported to deal with specific risks, therefore that they monitor the training required and more training will be needed received to guarantee that the internal audit function has the required skills at its disposal. The complexity of the business environment and regulatory pressure is pushing banking The US Fed states that, “auditors should have towards a new supervisory model, which in a wide range of business knowledge, de- turn implies changes and more specialization monstrated through years of audit and in- of internal audit. More talent will need to be dustry-specific experience, educational back- In order to meet the made available to internal audit functions. challenges of the ground, professional certifications, training changing and complex The challenge for internal audit is therefore to programs, committee participation, professio- business environment, keep on improving its capabilities, adding va- nal associations, and rotational job assign- internal audit teams lue with respect to the new risks that emerge ments.”17 We would like to highlight the im- will have to be and increasing in relevance. Plans must be portance given to professional certification, multidisciplinary. prepared to meet these new challenges, revie- committee participation and professional as- wing capability in search of improvement op- sociations. portunities.

Internal audit needs adequate resources to Increases in integrated audit teams add value and improve performance, exten- made up of auditors with different ding its scope to providing not only assurance specialities, with the emergence of su- but advice on critical risks. For this, internal per internal auditors that combine audit needs specialized knowledge on tradi- knowledge of different relevant areas tional and emerging risks, elevating the level of training required. In order to meet the challenges of the chan- ging and complex business environment, in- There are a number of emerging risks that will cluding regulatory pressure and technological require greater professional specialization, innovation, internal audit teams will have to such as large projects, new, more complex be multidisciplinary. products, M&A activity, IT infrastructure, busi- ness continuity and big data etc. This implies an ongoing fusion of IT related Internal audit needs to have the capability to risks with functional risks from audited areas. audit all areas of an organization, deploying With this approach, new risks can be cons- auditors with extensive knowledge and expe- tantly detected and evaluated using mass da- rience. Specialized training is key. This is bac- ta analysis techniques.

17. Supplemental policy statement on the internal audit function and its outsourcing. January 2013. Federal Reserve.

31 INDUSTRY OBSERVATORY

Will audit teams become more integrated, with different specialists including an IT auditor?

Totally agree

Agree

Neither agree or disagree This will require an Disagree ongoing commitment on the part of CAEs and Totally disagree the Audit Committee to quality and innovation 0% 10% 20% 30% 40% 50% in their audit % of respondents affirming approaches. Source: 2014 Survey of Spanish Banking CAE’s. Spanish Institute of Internal Auditors.

Technology is not just for detecting IT risks, it emergence of what we will call the super au- is also a facilitator of mass data analysis in ditor, capable of understanding the majority audit field work. Risks can be detected more of risks faced by a bank. This will require an effectively and at no extra cost. ongoing commitment on the part of CAEs and the Audit Committee to quality and innova- Multidisciplinary teams will help all involved tion in their audit approaches, which will in to better understand risks and applicable con- turn generate improvements to data analysis trols. In the medium term we will see the and audit conclusions.

TRENDS THAT WILL IMPACT ON THE STRUCTRE OF INTERNAL AUDIT DEPARTMENTS

The CAE will report directly to the Bo- ment systems, and providing supervision over ard or an Audit Committee that in the process of the development, disclosure turn will be more involved in the buil- and integrity of financial statements and re- ding of the audit plan and understan- porting. ding of audit conclusions. The Unified Corporate Governance Code for Firstly, the draft version of the Spanish Mer- publicly listed companies in Spain recom- cantile Code, Section VIII, states that the res- mends in point 47 that, “all publicly listed ponsibilities of the Audit Committee include, companies should have an internal audit among others, providing supervision over the function that, under the supervision of an au- internal controls of the entity, providing su- dit committee, is responsible for the effective- pervision over internal audit and risk manage- ness of information systems and internal con-

32 INDUSTRY OBSERVATORY

trol.” Point 48 states, “the person in the posi- This level of the Audit Committee’s involve- tion responsible for the internal audit function ment with internal audit requires frequent, should present their annual plan to the audit open and candid communication that is not committee, should elevate any issues related merely a formality. This requires: to the execution of the audit plan, and should · Opportunities for Audit Committee mem- present an annual report on internal audit’s bers and internal auditors to comment on activities.” themes of interest, industry risks, business As we can see, the Audit Committee is extre- model changes, new operations, regulatory mely important with regards to the internal changes, as well as opportunities to meet audit function, and specifically to the annual more regularly, including outside formal audit plan, the understanding of findings, the work sessions. follow-up of recommendations, and the per- · More meetings between the Audit Commit- formance review of the function. This is bac- ked up by the PwC document, New Challen- tee, management and internal auditors, so ges for Audit Committee in Publicly Listed that communication may be improved and Companies. the Committee’s horizons widened. · Adopting a risk-based approach that sepa- The Committee is also extremely important rates management and supervisory func- for aligning internal audit through the strate- tions. gic and annual audit plans.

The Spanish IIA survey on the banking sector Additionally, internal audit should strengthen highlights the involvement of Audit Commit- its relationship with Executive Management tees with internal audit functions and that in Committees, given their expectations for in- the medium term this will be evidenced by ternal audit may not coincide with those of performance reviews, follow-up of recommen- the Audit Committee. Internal audit should dations, and internal audit planning. consider both.

Audit Committees will be more involved in…?

Follow-up on recommendations

Obtaining a better understanding of audit findings and action plans

Carrying out performance reviews of internal audit

Creating the Internal Audit Plan

0% 5% 10% 15% 20% 25% 30% 35% % of respondents affirming. (Multiple options available)

Source: 2014 Survey of Spanish Banking CAE’s. Spanish Institute of Internal Auditors.

33 INDUSTRY OBSERVATORY

There will be greater demands for in- ethics. However, they are less satisfied with formation (quantity and quality) as the contribution internal audit makes in less the Board’s and Audit Committee’s traditional areas, such as reviewing large pro- jects, product launches, the management of Internal Audit should responsibilities become clearer. investment projects and M&A. therefore leave behind The Single Supervisory Mechanism has im- its traditional role of plied that board members have greater res- Internal Audit should therefore leave behind looking exclusively at ponsibility in the organization’s risk manage- its traditional role of looking exclusively at control testing in ment. To achieve this, it is required that insti- control testing in mature processes, and mature processes, and tutions have Board Delegated Committees, should adopt a risk-based model that allows should adopt a such as the Audit Committee, that can reinfor- it to look at emerging processes and risks, risk-based model that ce risk management and supervision and sup- which can add value to the organization at allows it to look at port the Board as a whole. this time. emerging processes and risks. This means a greater demand for information With this in mind, internal audit should un- and reporting to the Board and its Committe- derstand the expectations of each interest es. The trend is for effective and transparent group, which, in many cases these may not be communication channels to exist between the the same, and it should also be able to com- audit committee and all stakeholders, inclu- municate the services internal audit can provi- ding other Committees. de each one.

In a study carried out by PwC on the state of The majority of organizations responding to the profession of internal audit, it was repor- the IIA’s survey stated that the one of the ted that stakeholders are satisfied overall with challenges for internal audit is the quest for the contribution of internal audit in traditional avenues through which it can extoll its value areas of action: financial controls, fraud and adding capacity to the organization, through

How will the number of special projects evolve in the next three years compared with traditional audit projects?

Significantly decrease

Decrease, but not significantly

Stay the same

Increase but not significantly

Increase significantly

0% 10% 20% 30% 40% 50% 60% 70% 80% % respondents

Source: 2014 Survey of Spanish Banking CAE’s. Spanish Institute of Internal Auditors.

34 INDUSTRY OBSERVATORY

better stakeholder understanding and more Given that the audit committees must rely in reactivity to these expectations. the internal audit function for many of its su- pervisory responsibilities, it is critical that in- Internal audit should gain the confidence of ternal audit knows the organization’s stra- these stakeholders. It should provide informa- tegy, and should attend executive meetings to tion that demonstrates that its activities are gain this insight. aligned with the business’s critical risks, that its resources are efficiently deployed and that CAEs that answered the survey have indica- any deficiencies are adequately remediated. ted that in the next three years they will be looking closer at governance and strategic Benchmarking studies are helpful in compa- risk. The number of requests ring the audit function to those of industry Internal Audit, as the third line of defence, is from management for peers and through the use of metrics and responsible for providing supervision and as- internal audit to KPIs, it will be possible to monitor the perfor- surance over good governance, risk manage- undertake special mance and development of the function. ment and compliance. This further enforces projects is a great The number of requests from management for the need for an audit function with sufficient barometer of the internal audit to undertake special projects is knowledge and experience. confidence in the a great barometer of the confidence in the function and the value High powered internal audit functions, as they it creates. function and the value it creates. The study should be perceived by the organization’s sta- undertaken indicates an increase, though not keholders, require the right level of sponsors- significant. hip and adequate human and technical re- sources to be able to add value. Internal audit needs to be empowe- The seniority of the CAE is critical, given the red, in terms of resources and repor- closeness of the relationship with the Audit ting lines, as well as sponsorship, inte- Committee and its president. The audit com- gration and participation on executive mittee is chosen based on its knowledge of committees, and involvement in their accounting, risk management, and audit, as strategic processes. well as their experience in different industries, We need first to refer to the Spanish Draft (financial, non-financial and teaching). Most Law of the Organization, Supervision and Sol- are members of other boards and have exten- sive professional experience. The CAE should vency of Credit Institutions from 14th Fe- possess a level of experience, knowledge, and bruary 2014, which underlines the importance interpersonal and negotiating skills to be able of having an independent internal audit func- to interact appropriately with the audit com- tion. The current economic climate and the re- mittee. quirement for better corporate governance have contributed to the changes and constant CAEs should encourage the function to reach adjustments being made to regulation and out for new challenges, questioning the status the promoting of best practice in corporate quo and redefining the future of the profes- governance. sion.

35 INDUSTRY OBSERVATORY

Internal Audit will face organizational to deliver real time responses the expecta- change derived from change to ban- tions of administrators and stakeholders. king business models.

The changes identified for banking business models, regulatory requirements, the single New resources will be deployed to de- supervisor, and the makeup of other stakehol- al with, and respond to the Single Su- ders will entail changes in the risks requiring pervisory Mechanism, and to the Au- audit and therefore in internal audit’s resour- dit Committee. ces, media and approach. Currently most of internal audit’s administrati- This state of constant change, with ever-tigh- ve tasks, such as report writing for the Audit ter regulation and greater compliance costs Committee or executive management and in- means that business models will change, and ternal quality assurance programs are under- internal audit should adapt. This will require taken by internal audit staff and the CAE. new and innovative policies to improve effi- ciency and profitability. We expect that in the short and medium terms, an effective SSM will require more and New business models will mean entities will more information from the entities. This addi- have to: tional requirement will mean that resource · Implement a clear framework for risk appe- planning will have to take into account any tite that should be audited, which will re- extra hours dedicated exclusively to covering quire a period of adaptation and further in- this task. vestment in human resources and techno- After understanding the true impact this ma- logy. kes on resources, we should be looking at · Build an infrastructure that responds to the how to strengthen internal audit teams and new regulatory requirements, with preven- whether this can be achieved by existing re- tative systems for strategy, corporate gover- sources. This is likely to drive organizational nance and processes that improve innova- change, with separate audit teams doing tion and quality through greater technical fieldwork and reporting. deployment. Some larger entities already have specific te- Internal audit should conduct its business ams dedicated to creating and communica- while taking into account the organization’s ting reports. These teams: risk profile, developing capabilities that keep · Have specific knowledge of information re- it up to date in a changing environment, and quirements specific to each stakeholder employing innovative and creative solutions · Have a dual view of work carried out: High that add value. level, of all the work carried out by internal This change should be met head on by inter- audit, and in detail, so that reporting is cle- nal audit and it should develop the capacity ar and precise.

36 INDUSTRY OBSERVATORY

TRENDS THAT WILL INSTIGATE CHANGE IN THE APPROACH, SCOPE AND ORGANIZATION OF REVIEWS

Traditional, onsite internal audit of and this will break the traditional concept branches will decrease and become of audit frequency. (Low risk offices may less important in terms of auditors de- not be visited in many years). Now that remote ployed and branches visited. · However it is very likely that top manage- auditing of branches is highly developed, it is One key aspect of change that will bring more ment will still want internal audit to evalua- time to dedicate efficiency to internal audit is the reduction of te branches, as these evaluations add signi- resources and budget traditional onsite branch audits. ficant value to management. So, one of the to develop remote challenges will be to develop a single risk The truth is that this is already happening and audit techniques to internal audit has been carrying out remote indicator for branches that groups together review other risks. branch audits rather than on-site. However, remote and onsite audit conclusions. the trend is not finished and is set to continue · Increase in cross-functional audits, where as new technology allows internal auditors to the audit objective is not the branch, but a gather and review more and more informa- specific risk. (Evaluations of the level of tion remotely. control for that specific risk will be revie- Contributing to this accelerating trend are do- wed across branches) cument management techniques that allow · This cross-functional approach may drive for more and more information to be availa- internal audit functions to radically change ble in electronic formats (contracts, ID etc.) their organization, deploying teams specia- This will drive more changes: lized in specific risks. This may mean the · Some entities will only do onsite visits complete extinction of dedicated branch when a risk or compliance flag is raised, network auditors.

Will resources dedicated to onsite audits decrease?

Totally agree

Agree

Neither agree nor disagree

Disagree

Totally disagree

0% 10% 20% 30% 40% 50% % respondents Source: 2014 Survey of Spanish Banking CAE’s. Spanish Institute of Internal Auditors.

37 INDUSTRY OBSERVATORY

For example: tal and liquidity risks, and financial reporting - The credit risk audit group will audit all risks. aspects of credit risk and will visit bran- However, this will require considerable inves- ches just to audit credit risk and define tment with limited return on that investment remotely observable indicators that in the short term. should be monitored. - The business risk audit group will moni- There will be an increase in dynamic tor business risk in branches. risk assessment to prioritize internal - And so on with other risks. audit assignments.

This new approach does have a downside, As we have mentioned previously, credit insti- and that is the ability of the different audit te- tutions’ internal audit functions have been ams to work together efficiently and not lose considering questions related to remote or the integrated view of risk associated to the continuous auditing. This debate is not only branch network. applicable to the banking sector. Some ques- tions being asked are: We will see an increase in remote au- · What are we using remote audit tools for? diting, and this will extend to areas What is the objective of these tools? other than just the branch network. · Is the development and use of these tools Remote auditing has evolved tremendously to really the responsibility of internal audit? help financial entities evaluate risks in branch Should this be an activity carried out by the networks. However, the use of remote techni- second line of defence? ques for auditing other auditable entities in We believe that internal audit functions will the audit universe has been very sporadic and use these tools and techniques for two speci- mostly scarce. fic objectives: This is probably due to the fact that remote · Detecting fraud red flags (where internal audit has been traditionally employed by in- audit is primarily responsible for detecting ternal auditors with a deep knowledge of internal fraud). However this approach branch risks and little understanding of other must overcome a considerable obstacle: areas of risk. On the other hand, audit teams how to build effective fraud metrics and in- that review non-branch related risks have not dicators that really do detect and prevent had the opportunity, and do not have the fraud. Remote audits of branches generate knowledge or budget to develop remote audit reams of information, indicators and alerts techniques. for review, but precious few are designed to detect internal fraud. Now that remote auditing of branches is highly developed, it is time to dedicate resour- · Using remote indicators to carry out dyna- ces and budget to develop remote audit tech- mic risk assessments. This will mean that: niques to review other risks. Some key areas - Branches to visit on site will be decided where this may be deployed are IT risks, capi- in real time and based on levels of risk.

38 INDUSTRY OBSERVATORY

- Internal audit planning will also be dyna- New approaches to projects will be mic and adapt to the dynamic risk as- implemented, with innovative scopes sessment. and conclusions.

One key question that internal audit functions Audit will place more emphasis on are looking to answer is, how can they add process reviews, management infor- more value and help drive improvements mation and corporate governance. through their work, reports and conclusions?

The SSM has placed emphasis on processes For internal audit to do this, various develop- such as capital planning and how it relates to ments might happen: More audit teams the management of the entity, as well as how · Management-requested audits may increa- will employ new it integrates with other processes. Internal au- se. approaches, dit should not limit the scope of its reviews to · Governance framework reviews will increa- traditionally out of their data quality, but should extend it to include se. comfort zone. these processes. · More audit teams will employ new approa- For example, with regards to capital calcula- ches, traditionally out of their comfort zone. tions, many internal audit functions will create These assignments will be more daring, integrated teams (especially IT auditors) in or- where conclusions will be more focused on der to: opinions, with a larger component of sub- · Build simulation models with the help of IT jectivity. For example, we may be expected auditors (and integrated teams). However to provide an opinion on: this alternative is particularly expensive in - Whether customer contracts and clauses terms of resources and can only be affor- are clear. ded by large internal audit functions. - Whether credit risk analyst reports are of · Understand all processes contributing to sufficient quality. capital calculations, taking into account - Whether costs associated to specific pro- that most calculations are highly automa- jects are reasonable (emphasis on IT). ted. - New product launches prior to their Certain aspects will gain importance in an en- launch. tity’s audit universe, and will require including assignments related to: The type of work undertaken by inter- · Corporate governance. nal audit will change significantly in the medium term. · Information delivered to the Board and executive management for strategic deci- This will be a product of various events: sion-making. · First, the requirement to provide new re- · Strategic and business risk. ports to regulators and supervisors will dri- · Other emerging risks: ever more complex ve a new approach and require new capa- sales processes, new product launch, M&A bilities to be made available to internal au- and CAPEX projects. dit teams.

39 INDUSTRY OBSERVATORY

· Changes to rules and standards specific to count is stable (some entities do envisage internal audit, (Fed, Basel, etc.) will oblige large increases), it will mean that the num- audit to monitor new risks that emerge ber of reviews included in the audit plan from different areas: risks associated to will have to be revised. This, in turn, means strategy and business, capital and liquidity, that audit coverage must be supplemented conduct and reputation, risk appetite, go- with continuous audit techniques and tech- vernance and M&A. nologies. · We should highlight the need for internal On the other hand, Audit Committees will audit to align itself with risks (legal, reputa- increasingly be involved in the annual audit tional, etc.) that are associated to new pro- plan. This, along with the need to adapt to ducts. This requires that the internal audit the predicted changes and to align internal function is present, at least in an observa- The risk assessment audit to strategy, will require internal audit tory role, in the communications and mee- process will become plans to be more dynamic and flexible, and tings held on the matter. This has a dual more relevant, meaning open to change after approval by the Audit purpose: that more resources Committee. will be needed than - Prevent and detect new risks that emer- previously. ge in the constantly changing financial · The risk assessment process will become environment. more relevant, meaning that more resour- - Promote a risk and control culture ces will be needed than previously. throughout the organization. A continuous approach to risk assessment · Internal audit will also have a role in moni- will be adopted that will employ conti- toring new risks that are emerging. Aspects nuous monitoring systems, indicators, and such as cybersecurity, environmental rules, automatic risk alerts. Remote and conti- etc. will drive changes to corporate risk nuous audit techniques that are currently maps and audit universes and therefore re- used in branch audits will be employed by quire a progressive and constant capacity other areas. to adapt. Models for risk assessment will be based on a harmonized evaluation methodology The profound change in the regulatory that will be borne of the new supervisory framework will have a direct impact model. on internal audit’s methodology. · Greater regulatory involvement will mean These changes will happen in all phases of that requests for assignments will be ca- audit work, specifically: rried out with less flexibility on scope. · The volume of work included in the an- On the contrary, projects voluntarily inclu- nual audit plan will increase as a direct ded in the audit plan will have new appro- result of regulatory demands. aches, and an innovative scope. Fixed audit This will require that internal audit has mo- programmes will give way to ad-hoc, pro- re resources for the additional work. Given ject-specific ones that adapt to the environ- that the outlook for the internal audit head ment, the entity and stakeholder demands.

40 INDUSTRY OBSERVATORY

With regards to combined assurance, it do- scope. Despite the majority of entities se- es not seem likely that in the short term, eing evolution in that direction, there is still that this will have an impact in assignment a long and winding road ahead.

TRENDS THAT WILL IMPACT ON RESOURCES AND TECHNICAL RE- QUIREMENTS

Internal audit teams will rely more fre- trols, and use mass data analysis to obtain as- quently on evaluations of the effecti- surance on business processes and appropria- veness of automated controls and te risk mitigation. There will be occasions mass data analysis in order to reach when sampling will be substituted with whole audit conclusions. population analysis. This will mean that teams will include person- The increase in the use of technology in ban- nel with specific technical knowledge, inclu- king has generated enormous amounts of da- ding IT specialists, as is evidenced by the re- ta, and this means that processes must now sult of the survey on team composition (see contain many automated controls. graph on page 34).

Internal audit teams should now look more Continuous auditing is a key technique for Teams will include closely at the functioning of automated con- evaluating the probability and impact of risks personnel with specific technical knowledge, What changes do you expect to see in the resources and technology used for internal audit? including IT specialists.

Tools for dynamic risk prioritization

Deployment of tools for continuous auditing

Intensive use of data mining

Tools for internal audit knowledge management

Tools for fraud detection

Other

0% 5% 10% 15% 20% 25% 30% % respondents (multiple options available) Source: 2014 Survey of Spanish Banking CAE’s. Spanish Institute of Internal Auditors.

41 INDUSTRY OBSERVATORY

and for detecting one-off findings that must the use of new tools for data management, be corrected by the organization and used for discovery and processing. internal control improvements by the busi- The term “Big Data”, so fashionable of late, ness. The development of continuous audit looks to connect this idea with the technology models and procedures is a challenge that ne- necessary for processing. Without abandoning eds to be met by the majority of internal audit traditional, well-structured relational data departments in Spanish credit institutions, as that is usually a result of mature processes, was evidenced in the survey. there is now a need to enrich the conclusions The internal audit The internal audit function has a fascinating we can extract from the data that is more function has a and difficult, but achievable challenge of as- unstructured and comes from non-traditional fascinating and activities. difficult, but achievable suring that applications that generate data le- challenge of assuring ave a reliable audit trail. Technologically ad- The possibility of being able to employ tools that applications that vanced platforms will allow the auditor to na- to agilely manage these amounts of data can generate data leave a turally correlate and analyse these trails. mean the difference between creating and reliable audit trail. not creating value. Internal audit should the- Traditional audit must not be abandoned as refore be able to use this type of tools, as this will still provide assurance on diverse ac- their appropriate use will mean better assu- tivities, but we should employ new tools for rance for the business. the reviews, as the validity of the data that the entity manages is a key mechanism to According to the CAEs who participated in guarantee effective oversight. the survey, changes to the capacity of techno- logy to manage huge amounts of data and The evolution of business and techno- the integration of this technology into the in- logy will go hand in hand with the use ternal auditor’s fieldwork will have a big im- of new tools to support audits. pact on the function. Specifically in this order, it is expected that technology will boost dyna- The massive amounts of data available in en- mic risk assessments, the use of continuous tities are a paradigmatic change that implies auditing tools and intensive data mining.

Assurance and Combined Assurance

To add to the many opportunities that inter- mented, there are further opportunities rela- nal audit has to create value in the banking ted to other assurance-providing functions. industry, on which we have previously com- Our study has revealed that the majority of

42 INDUSTRY OBSERVATORY

credit institutions have a risk management This means the three lines of defence model model based on the three lines of defence requires a workable scheme that guarantees model. efficient and effective interaction between the

This model, despite being considered best lines. practice, does bring with it a series of challen- In order to be effective: ges: · Organizations should have a clearly defined · That there exists a clear definition of res- ponsibilities. methodology and adequate responsibility assignment for all elements of the model. · That there is assurance that business unit objectives are aligned with strategic organi- · The organization’s objectives, at all levels, zational objectives. should be understood and shared by the · That control processes add value to the bu- three lines of defence, and risk appetite siness. should be appropriately defined and com- municated. · That assurance providers have profiles, ca- pabilities and common tools that are com- · The profiles of the professionals should be parable. equivalent to the challenges of each func- The magnitude and complexity of risk mana- tion, and their lines of reporting should gement in credit institutions means that the coincide with the weight of their responsi- responsibilities undertaken by the second line bility. of defence have to be shared between various units or departments. This requires establis- · The methodology should encourage proac- hing mechanisms that ensure adequate coor- tivity, and responsibilities should strengthen dination between different functions and the the preventative rather than corrective na- comparability of reporting. ture of assurance.

EFFICIENCY AND EFFECTIVENESS IN THE THREE LINES OF DEFENCE MODEL

· Clearly defined methodology. Clearly assigned responsibilities. · Objectives understood and shared between lines. · Adequate professional profiles. + EFFICIENT · Adequate reporting lines. · Preventive over corrective.

· Collaborative working between all three lines. Transparent communication. · Single source of data for risk management. + EFFECTIVE · Assurance coverage maps that identify who is responsible for risks and with what frequency.

43 INDUSTRY OBSERVATORY

In order to be efficient: ment and governance and increase the com- fort levels audit and risk committees have re- · Organizations should have a coherent wor- garding their assurance models, including king methodology that promotes collabora- how this relates to the established appetite tion between lines, uses a common langua- for risk. ge, generates comparable reporting and in- cludes transparent communication. The implementation of combined assurance models has highlighted that internal audit is There are many reasons · Technological support should be common the function best suited technically and orga- why internal audit has and allow for transfer of information bet- nizationally to lead such an initiative. been chosen to lead the ween lines, so that there is just one single implementation of set of data used for risk management. There are many reasons why internal audit combined assurance in has been chosen to lead the implementation banking entities. · Organizations should create an assurance coverage map, that allows the organization of combined assurance in banking entities, to see the depth of assurance cover over some of these being: significant risks, and who is responsible for · The extensive knowledge it has of proces- those risks. ses and controls. All this should be backed up by an indepen- · A global and objective view of control dent evaluation undertaken by internal audit. structures.

· No conflicts of interest with regards to se- COMBINED ASSURANCE gregation of duties and responsibilities. · Knowledge of the whole organization and Opportunities for the future of internal audit do not end here. its operations.

The previously described situation has not be- · Experience managing cross-functional pro- en lost on many entities, nor ignored by regu- jects. lators, and this has driven the emergence of · Experience in communicating with executi- management models intended to solve the ve management as well as all other levels problems. of the organization. The King Code of Corporate Governance, bet- The response to the obvious question of how ter known as King III, proposes a Combined this impacts on the independence of the inter- Assurance model that it defines as, “the inte- nal audit function, if it is involved in the im- gration, coordination and alignment of all as- plementation of a combined assurance mo- surance functions within an organization, in del, can be found in the Practice Advisories order to improve the level of governance, risk from the IIA. Specifically 2050–1 dedicated to and control.” coordinating combined assurance, which lays Ultimately, combined assurance looks to ma- out certain criteria that should be followed by ximize the efficiency of control, risk manage- the internal auditor.

44 INDUSTRY OBSERVATORY

Appendix – Trend Table

HUMAN ORGANIZATIONAL APPROACH, SCOPE AND RESOURCES AND TECHNICAL RESOURCES STRUCTURE ORGANIZATION OF REVIEWS REQUIREMENTS

TREND: There will be an increase in effective resources, which will, in turn, improve effi- HUMAN RESOURCES ciency.

EXPECTATIONS · Audit critical risks and controls. · Improve sampling and data analysis techniques. · Improve internal audit planning (knowledge of auditable entities and risks). · Better coordination with the second line of defence. · Reinforcement and improved relevance of the second line of defence. · Independent assurance over the second line of defence.

TREND: Greater professional specialization in specific risks, and therefore better training of auditors.

EXPECTATIONS · More complex environments that require a better knowledge of risks in order to evaluate control effectiveness. · Identify risks that require greater specialization. · As a consequence of requirements made in MiFID, BII, BIII, EMIR, DFA etc. and due to the role as assurance provider on different matters it will be necessary to: - Train internal auditors on these matters. - Add new specialized resources who have the required underlying knowledge.

45 INDUSTRY OBSERVATORY

HUMAN TREND: There will be an increase in the use of integrated internal audit teams that include RESOURCES distinct specialists, and result in the emergence of a “super auditor” that combines kno- wledge of risk over multiple areas.

EXPECTATIONS · Processes cannot be understood without technology. · It’s difficult for an auditor to know everything, including IT. · Not just focused on IT · Multidisciplinary teams will be needed to better understand risks and necessary controls. · And, if possible, “super auditors.”

ORGANIZATIONAL TREND: The CAE will report directly to the Board or the Audit Committee, whose members, STRUCTURE in turn, will have a greater role in defining the audit plan and understanding the results of the audits.

EXPECTATIONS · Direct accountability of the CAE to the Board or Audit Committee. · Greater Audit Committee involvement in: - Strategic audit planning. - Annual audit plan. - Internal audit performance reviews. - Understanding of findings and recommendations. - Recommendation follow-up.

TREND: Greater requirements for both quantity and quality of information as a consequen- ce of the increased accountability of Boards and Committees.

EXPECTATIONS · Audit committees will demand more information. · Creation of value reporting for the Board and executive management that anticipates and evaluates potential risk events. - Large scale projects. - New product launches. - CAPEX projects. - M&A.

46 INDUSTRY OBSERVATORY

TREND: Internal audit will need to be reinforced in terms of people, resources, reporting li- ORGANIZATIONAL STRUCTURE nes and adequate sponsorship. This should include integration with and participation in ma- nagement committees and strategic processes within the organization.

EXPECTATIONS · Audit needs to be strengthened in terms of people and resources, reporting lines and adequa- te sponsorship. · More participation and integration in management committees. · More involvement in strategic processes of the entity. · Acknowledgement of the experience, knowledge and prestige of the CAE.

TREND: There will be organizational changes in internal audit departments driven by busi- ness model change.

EXPECTATIONS · Changes to business models, regulatory requirements, the single supervisor and stakeholders will produce, among others, changes to the risks that need to be audited, requiring organiza- tional alignment of internal audit, its people, resources and approach.

TREND: Internal audit will obtain new resources to deal with the reporting for the Single Supervisory Mechanism and the audit and quality committee.

EXPECTATIONS · Greater demands for information will draw more time from the CAE and other internal audit management. · Planning will need to be adjusted, with time assigned to this task. · Possible growth in specific reporting teams.

TREND: Traditional internal audit/branch audits will diminish in terms of resources assig- APPROACH, SCOPE AND ORGANIZATION OF REVIEWS ned and branches reviewed.

EXPECTATIONS · There will be more intensive use of remote auditing techniques due to ever more technologi- cal processes, such as digital signatures and electronic documentation. · Cyclical reviews of branches could disappear, and branches may only be visited when certain alerts or red flags are raised.

47 INDUSTRY OBSERVATORY

APPROACH, SCOPE AND TREND: There will be an increase in remote auditing and this will extend beyond the ORGANIZATION OF REVIEWS branch network.

EXPECTATIONS · Increase in remote auditing of other, non-branch risks, (IT, capital, liquidity etc.). · This approach entails significant cost and complexity and may not generate short-term re- sults.

TREND: There will be more dynamic risk assessments to create the audit plan.

EXPECTATIONS · Continuous auditing will be used to feed dynamic risk assessments. · Annual plans could be reviewed many times a year.

TREND: There will be more emphasis on process audits, management information and cor- porate governance.

EXPECTATIONS · Certain audits of processes unique to banking will require greater scope and will be more complex. These audits will require intensive use of resources. · Other entities in the audit universe will become more important, such as corporate governan- ce, strategic and business risk.

TREND: The types of assignment undertaken by internal audit will change in the medium term.

EXPECTATIONS · Supervisors and regulators are requiring internal audit to carry out certain engagements that require new and different approaches. · New regulation will cause the emergence of new audit entities (new processes or direct re- quests made by the supervisor). Additionally the FED and Basel Committee have published re- gulation with direct impact on internal audit, and point towards reviews of strategy and busi- ness, capital and liquidity, conduct and reputation, risk appetite, corporate governance and other corporate movements. · In line with the last point we may see new risks that make demands of internal audit, linked to new product launches, M&A, large corporate events, etc.

48 INDUSTRY OBSERVATORY

TREND: There will be engagements that require new approaches, new scopes and fresh APPROACH, SCOPE AND ORGANIZATION OF REVIEWS opinions.

EXPECTATIONS · New approaches will add more value for executive management. · There will be more advisory projects.

TREND: The profound changes in the regulatory environment will have a direct impact on the working methodology of Internal Audit.

EXPECTATIONS · Changes in the regulatory environment will affect the main phases of work of Internal Audi, in particular: - The development of the annual audit plan, which must meet the requirements of regula- tors. - The risk assessment process, for which major improvements are required to ensure it meets the harmonized methodology of the regulators. - The scope of work, which is subject to the specific requirements of regulators and the Audit Committee. In turn, the remaining work will be directed towards more innovative approa- ches.

TREND: Internal audit teams will rely more on evaluating the effectiveness of automated RESOURCES AND TECHNICAL REQUIREMENTS controls and on mass data analysis in order to reach conclusions.

EXPECTATIONS · Audit conclusions and opinions will based increasingly on: - Results of mass data analysis and less on statistical sampling. - Automatic control testing in business processing. · The possibility of exploiting large amounts of data and correlations to detect trends, patterns and one-off events.

TRENDS: The evolution of business models and technology will go hand in hand with in- creased use of IT tools to support audits.

EXPECTATIONS · The development of continuous auditing will depend on the capability of exploiting massive amounts of data. · The requirement of tools that allow the mining of massive amounts of data. · Internal auditors should have knowledge of, and be able to use these tools.

49 Instituto de Auditores Internos de España

Santa Cruz de Marcenado, 33 · 28015 Madrid · Tel.: 91 593 23 45 · Fax: 91 593 29 32 · www.auditoresinternos.es

Depósito Legal: M-827-2015 ISBN: 978-84-941921-9-7

Diseño y maquetación: desdecero, estudio gráfico

Impresión: IAG, SL LA FÁBRICA DE PENSAMIENTO INSTITUTO DE AUDITORES INTERNOS DE ESPAÑA

This new document of LA FÁBRICA DE PENSAMIENTO (The Thinking Factory) addresses the new challenges the banking and credit institutions are facing in Europe. A modern economy need this industry to be solvent and effective. The global economic crisis has demonstrated that only those entities with an adequate governance on risks and an appropriate control environment are able to survive. The others have simply disappeared or had to be intervened with a huge cost for the economy and public accounts.

This document analyses the banking industry in order to identify future changes and trends in the business models as well as in regulation. Thus we will be able to anticipate challenges and expectations the CAE will face in the years to come to accomplish their mission.