Introduction
Who decides the scope of an internal audit, and to whom should the auditor communicate its findings? In our earlier article Even the Devil Hates Internal Audits, we discussed the role and importance of the internal audit function for financial institutions. In this article, we assess to whom the internal audit function should report in line with applicable Singapore regulatory guidelines and industry best practices.
What is an internal audit function?
An internal audit function of a financial institution assesses whether the institution’s existing policies, processes and internal controls are independent, effective, appropriate and remain sufficient for the institution’s business.1 Controls assessed may include risk management, compliance and corporate governance processes. The internal audit function should have a reporting line to a financial institution’s board of directors (the “Board”) or an audit committee of the Board and is expected to be adequately staffed, independent and permanent.2
Upon completion of an internal audit, the findings should be presented to senior management who have the responsibility and authority to implement corrective measures.3 Once finalized, the report would also be available for review by the Monetary Authority of Singapore (the “Authority”).
The provision of internal audit services is not a regulated activity. Financial institutions are instructed to appoint to the function “senior personnel who are fit and proper to oversee the internal audit function”.4
What companies benefit from an internal audit function?
HM primarily advises regulated financial institutions. However, any business could potentially benefit from an internal audit.
What standards are relevant to the internal audit function?
The Internal Controls Guidelines do not specify a methodology for conducting internal audits. Instead, the Internal Control Guidelines state:
The internal audit function should employ a methodology that identifies the material risks run by the institution. In addition, the internal audit function should prepare an audit plan which is reviewed regularly based on its own risk assessment, and allocate audit resources accordingly. Internal auditors should vary the audit frequency according to the level of risk. The scope and frequency of internal audits should be increased if significant weaknesses are found or if there are significant changes to the risk oversight process, product lines, modelling methodologies, internal controls or risk profile. To facilitate the development of sound controls, auditors should be allowed to comment on the product and system development process at an early stage, though the level of their involvement should not compromise their independence or their ability to objectively review the new product or system subsequently.5
The International Standards for the Professional Practice of Internal Auditing issued by the Insitute of Internal Auditors outline the best practices for internal audit reporting. The Authority referred to these standards in connection with assessing the performance of an outsourced internal auditor.6 However, such standards are illustrative rather than binding on how internal audits should be performed on financial institutions.
What constitutes an independent audit function having sufficient independence?
A critical aspect of an independent audit function is that it is independent. The Authority does not define “independence” in this context. However, a financial institution should consider whether its internal audit function has sufficient:
- Functional independence: can it conduct its work without undue interference from management and other parties?
- Personnel independence: does the team have any operational responsibilities within the institution which may create a conflict of interest?
- Mindset independence: do the auditors maintain an unbiased attitude and approach their work with integrity, objectivity and professional skepticism?
Finally, a financial institution should consider whether the internal audit function has sufficient organizational independence to address potential conflicts of interest and undue influence from management. This issue drives the debate regarding internal audit reporting lines.
What are the arguments in the debate on internal audit reporting?
As mentioned above, under the Internal Control Guidelines an internal audit function should have a reporting line to the Board or a committee of the Board. However, the Internal Control Guidelines do not state whether that should be the exclusive reporting line of the internal audit function or how additional reporting lines should be implemented.
A financial institution may have both direct and indirect reporting lines. In a direct reporting line, an employee reports to one or more immediate managers who are generally responsible for overseeing the employee’s day to day job scope. Indirect reporting can be effected in numerous ways, including by giving an employee direct access to a different manager without going through the employee’s direct manager. In Singapore, financial institutions are expected to have a corporate governance framework that supports senior managers’ performance of their roles and responsibilities, with a clear and transparent management structure and reporting relationships.7
In the context of internal audit, there are multiple theories about the ideal reporting relationship, including:
- Internal audit should report exclusively to the Board or its subcommittee.
- Pros –
- Maximum independence for the internal audit function.
- Alignment with the recent Best Practice Paper (the “Best Practice Paper”) published by the Anti-Money Laundering Audit Peer Group.8
- Cons –
- Sidelines senior management and arguably makes the Head of Internal Audit equivalent to the Chief Executive Officer with respect the domain of the internal audit function.
- Some financial institutions may not have non-executive directors, in which case you may not have achieved any greater independence compared to having a reporting line to senior management.
- Pros –
- Internal audit should report to the Board or its subcommittee, except for administrative matters (such as holiday approval).
- Pros – Strengthens organizational independence of the internal audit function without leaving the Board with administrative decision-making responsibilities.
- Cons – Same as above.
- Internal audit should directly report to a member of the financial institution’s senior management while having unfettered reporting access to the Board or its subcommittee
- Pros – Strengthens senior management, including its ability to participate in the design and implementation or the internal audit.
- Cons – Reduces organizational independence of internal audit.
Is there a definitive answer to this reporting debate from a governance perspective?
In our opinion, there is no definitive answer as to how the internal audit function should be structured within a financial institution. Although the Best Practice Paper suggested that having the internal audit function report directly to the audit committee of the Board should be considered a “baseline standard”9, that recommendation was in the context banking industry. We do not believe it should be considered a baseline standard for all financial institutions.
Instead, a financial institution should determine an appropriate reporting structure based on the financial institution’s scale, nature, and complexity. In general, we expect larger financial institutions would place a greater emphasis on the organizational independence of the internal audit function. Nevertheless, the fact that a reporting structure offers the internal audit function greater organizational independence does not necessarily make that structure preferable or “best practice”. An internal audit function can be sufficiently independent without being maximally independent.
Conclusion
HM offers outsourced internal audit services and can suggest corporate governance structures tailored to your needs. For readers of this article who are senior managers of a financial institution, we would be pleased to speak to you about the development of your firm’s internal audit function. For internal audit professionals, to paraphrase Blake Lively’s Instagram post regarding Deadpool and Wolverine’s many millennial references, please know that you are seen.
For further information, contact:
Chris Holland: Partner | chris.holland@hmstrategy.com
Catherine Buroker: Consultant | catherine.buroker@hmstrategy.com
Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.
1. See Paragraph 2.6.1 of the Monetary Authority of Singapore’s Guidelines on Risk Management Practices – Internal Controls (the “Internal Control Guidelines”).
2. Id.
3. See Paragraph 2.6.8 of the Internal Control Guidelines.
4. Paragraph 2.2.6 of the Internal Control Guidelines.
5. See Paragraph 2.6.5 of the Internal Control Guidelines.
6. See Question 9 “FAQ on MAS Guidelines on Outsourcing” (December 2023).
7. See Outcome 3 of the Authority’s Guidelines on Individual Accountability and Conduct.
8. The AAPG is an industry led group established to facilitate the sharing of anti-money laundering and countering the financing of terrorism audit best practices in the financial industry and promote engagement with the MAS and the wider audit community on key AML/CFT risk areas.
9. In the Best Practice Paper, “baseline standards” are defined as expected minimum audit standards and practices that banks’ internal audit functions and external audit firms shall adopt and implement. According to the Best Practice Paper, non-adoption of baseline standards may be considered as having inadequate standards and practices.