Recently the Chartered Institute of Internal Auditors released their recommendations from the Committee on Internal Audit Guidance for Financial Services titled Effective Internal Audit in the Financial Services Sector.
We have extracted the key points from this guidance HERE. In this blog post, we consider how these updated requirements are enabled via StratexPoint’s Audit Management functionality.
A. Role and Mandate of Internal Audit
With the remit of “protecting the assets, reputation and sustainability of the organization”, we believe that Internal Audit need to move away from stand-alone spreadsheets or point solutions to support the Audit process, instead they need to use an integrated solution which incorporates both the Audit Management capabilities to enable the Internal Audit team to be effective but also the strategy and risk management capabilities which support the rest of the organisation while creating a single, integrated management framework and approach.
This means that Internal Audit work with the same management framework (business objectives, risks, controls, processes etc) and the same information (risk and control assessments, Key Performance Indicators (KPIs), Key Risk Indicators (KRIs) and key Controls Indicators (KCIs), Initiatives and Action Status’s etc) as the rest of the organisation is using day-to-day. This enables an effective Risk-Based Internal Audit (RBIA) approach to be taken, improves the cost and effectiveness of audits and most importantly means that everyone across the three lines of defence are working of the same set of data. Working from a single source of data means that when Internal Audit reports, the focus is on the identified Audit Issues not arguments about the data and data definitions.
B. Scope and priorities of Internal Audit
The guidance is clearly requiring the Internal Audit to scope audits broadly, taking into account both the strategic and operational aspects of the organisation, including business strategy, risk appetite and business model considerations. Additionally, customer outcomes are included in the scope which is in line with the FCA Conduct Risk agenda.
In terms of priorities, the concept of Risk-Based Internal Audit (RBIA) is embedded in the guidance.
From a technology solution perspective, this requires organisations to deploy solutions which go beyond a silo risk management or compliance solution to more comprehensive solutions which enable and support strategy execution/enterprise performance management aspects of the organisation’s governance and management framework.
As the only integrated strategy execution and risk management solution built on the Risk-Based Performance Management methodology, StratexPoint is unique placed to support Internal Audit as they develop and mature their approach in line with the updated guidance. Importantly, StratexPoint provides comprehensive Risk Appetite definition and monitoring capabilities, including the Appetite Alignment Matrix which enables an organisation to determine if it is operating within appetite (adhering to risk appetite).
The guidance also touches on the important point of culture – risk and control culture. Given this it is worth sharing that the reason we selected SharePoint as a base technology for our application was because of its collaborative capabilities and ability to reach across the enterprise allowing strategy execution and risk management to become part of everyone’s job (via StratexPoint) and for everyone to have a clear definition of their role within the strategy execution and risk management process (via the RACI Model embedded within StratexPoint).
C. Reporting Results
Reporting results, generating business orientated insights and management information is an important role of Internal Audit, particularly as it is via the reported results, insights and MI that they will be able to build credibility with the Board and Executive but also assert their independent from them.
Again coming back to the use of a solution which supports each of the three lines of defence, using StratexPoint to enable the Internal Audit team means that reporting, the generation of insights and MI is all done using the same approach and tools that the rest of the business use. Additionally tracking the closing of Audit Issues and Audit Actions is done using the same approach, dashboards and alerts as the tracking of business Issues and Actions.
D. Interaction with Risk Management, Compliance and Finance
It is our experience that Internal Audit’s interaction with other functions particularly the Risk Management, Compliance and Finance functions is often hampered by a poor definition of the accountabilities, specifically the boundaries of each of these closely related functions. Also the interaction is hampered but discussions about data inconsistency and data quality issues because each function is using their own silo solution or ad hoc spreadsheets on a functional shared drive hidden from the rest of the organisation.
StratexPoint solves these issues, enhancing and providing structure to the interaction by providing a single solution across each of the Three Lines of Defence and creating clear definitions of accountabilities and responsibilities across the enterprise via the embedded RACI model.
The guidance makes clear that ensuring the ensuring that the audit team has the skills and experience commensurate with the risks of the organisation, and to provide effective challenge throughout the organisation and to the Executive is one of the key responsibilities of the Chief Internal Auditor.
There are two aspects of StratexPoint which help the Chief Internal Auditor to fulfil his responsibilities. Firstly with the ‘People and Roles’ functionality within StratexPoint we can provide very effective personal performance and risk management thus enabling a much higher quality conversation within the Internal Audit team about the level of team performance and underlying causes for any performance gaps for example organisational or regulatory changes now means we don’t have the right headcount or right skill set etc. Secondly, to ensure the Internal Audit team has the skills and experience commensurate with the risks of the organisation, the risks and particularly the alignment of risk appetite must be well defined, monitored and reported on. Equally as the organisation changes, the business model changes or the business environment changes, the Internal Audit team need to be able to monitor those changes and adjust their team accordingly. This is core to what StratexPoint does.
F. Quality Assessment
Evaluating the performance of the Internal Audit function as well as monitoring the quality of the audit process and outputs is straight-forward with StratexPoint. With the ability to define objectives, processes and initiatives, each with KPIs, Improvement Actions etc for the Audit Function (an entity within StratexPoint), StratexPoint enables the Board and/or Audit Committee to monitor the Audit Function performance using the same tools as they would use for any other function within the organisation, for example an Audit Team Strategy Map, Audit Team Dashboards etc. Additionally at the Audit process level StratexPoint provides tools such as KPIs, Improvement Actions, and Quality Testing to monitor both the Audit Process and/or down to an individual Audit level. By applying the same quality management tools to Audit, and by Audit holding itself to the same standard it expects from the rest of the organisation, the Chief Internal Auditor and the Audit Team build their credibility and standing within the organisation making for more effective challenge.
G. Relationships with regulators
From the very first project where StratexPoint was deployed, enabling the building and maintenance of a good relationship with regulatory stakeholders was an important critical success factor. We do this provide ensuring that the organisation, including Internal Audit has the right tool to translate their vision of the organisation, including its risk and compliance vision into reality. Importantly when that vision is presented in the typical powerpoint format, been able to go to StratexPoint and demonstrate that the vision is embedded within the organisation builds the trust and confidence that many regulatory stakeholders are looking for. By having information available in real time that touches on the strategy, business model, risk appetite, key risks, controls and accountabilities around each of these enables a high quality, open conversation to take place between the Internal Audit team and regulators.