Submission to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry
The Institute of Internal Auditors – Australia (IIA-Australia) makes this voluntary submission in relation to the role of internal auditors in the banking and broader financial services industry.
In this submission we will outline a number of policy issues in relation to internal auditors that the Commissioner could consider in his interim and final reports, which could, if addressed, improve governance structures within financial services entities.
The IIA-Australia is the professional body representing Australian internal auditors. With more than 3,200 members made up of internal auditors in government, the corporate sector, and professional practice, IIA-Australia is the local affiliate of the global Institute of Internal Auditors (The IIA), which represents more than 190,000 members in 170 countries.
The IIA is the only global professional body dedicated to the advancement of the internal audit profession.
The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards) set the minimum standards for internal auditors worldwide. All IIA-Australia members are required to comply with the Standards under the IIA-Australia’s by-laws.
However, not all internal auditors are members of IIA-Australia and they are not required to conform to the Standards.
The Auditing and Assurance Standards Board (AUASB) is an independent, statutory agency of the Australian Government, responsible for developing, issuing and maintaining auditing and assurance standards. It does not develop standards for internal auditors, only external auditors (refer Appendix A for differences between external and internal auditors).
The scope of the external auditor’s engagement emanates from the requirements under the Corporations Act 2001 or other relevant legislation, to audit and review the entity’s financial statements.
ABN 80 001 797 51
Internal audit, on the other hand, has a far broader mandate to provide assurance that the controls in place across a business are sufficient to manage risk, and that governance processes are adequate and organisational objectives are met.
In contrast to external auditors, there are no legislative or regulatory requirements governing the practice of internal auditors.
At the internal auditor’s national conference held in Melbourne in May 2018, ASX Corporate
Governance Council Chair Ms Elizabeth Johnstone threw out a rallying cry to internal auditors “not to be timid, but be bold and brave.”
The challenge for an internal auditor is to remain independent, objective, and be resilient enough to deliver the bad news as well as the good.
Recent hearings from the Banking and Financial Services Royal Commission have shown that in complex corporate environments, where there are numerous layers of senior management and committees, the recommendations in internal audit reports can be ignored.
The Australian Prudential Regulation Authority’s (APRA) Prudential Inquiry into the Commonwealth Bank of Australia (CBA), highlighted that CBA’s internal audit function discovered serious conduct and non-compliance issues faced by the bank, which were raised with the board’s audit committee. 1
This Inquiry importantly highlighted the “weaknesses in how issues, incidents and risks were identified and escalated through the institution, and a lack of urgency in their subsequent management and resolution.” 2
The CBA was also criticized for not effectively implementing the Three Lines of Defence governance model despite a number of attempts over the years. The Three Lines of Defence model is used by many entities to define and control the risk management environment, and to provide assurance to the board of directors, audit committee, CEO, senior executives and stakeholders about effective governance.
As the first line of defence, operational managers own and manage risks. They are also responsible for implementing corrective actions to address process and control deficiencies.
The second line of defence, consists of management establishing various risk management and compliance functions to help build and monitor first line of defence controls.
The third line of defence is internal audit, which has a broader responsibility than external auditors, and provides assurance that risk is appropriately managed. Internal audit independently evaluates and provides opinion on the adequacy and effectiveness of both the first line and second line of risk and their risk management approaches. It is a form of assurance independent of management3.
1 Prudential Inquiry into the Commonwealth Bank of Australia, April 2018, pp 15-16
2 Ibid, p 3
3 Audit Committees: A Guide to Good Practice (Third Edition) 2017 pp 91-92
There have also been other examples of apparent governance failures presented as evidence to the Royal Commission but, at this stage, there has been little forensic examination of the ‘governance eco-systems’ in which, for example, internal auditors operate.
To be ‘bold and brave’, as Ms Johnstone suggests, means that reporting lines have to change, better protection for internal auditors needs to be in place, and internal auditors have to be given more authority by boards to apply their skills across the organisation.
Under APRA‘s Prudential Standard CPS 220, it states that the “Board must ensure it forms a view of the risk culture in the institution.” 4 To achieve this, internal auditors need to be given the authority to have more dialogue with Boards on the state of organisational culture. This may include, for example, the audit committee of the board giving internal auditors the mandate to audit the culture of an organisation, including measuring the ‘tone-at-the-top’ and how it filters throughout the organisation.
The UK Corporate Governance Code states that the board should assess and monitor culture. It goes on to say “Where it is not satisfied that policy, practices or behaviour throughout the business are aligned with the company’s purpose, values and strategy, it should seek assurance that management has taken corrective action.” 5 Internal auditors are ideally placed to provide this assurance.
Winning back the trust of banking and financial services customers will be a major exercise in re- building reputation, and the challenge for our banks and financial institutions is finding the ‘right
culture’ which comfortably co-exists with customer expectations, high performance and profitability.
This, we argue, can be achieved by establishing a stronger ‘governance eco-system’ with internal audit as a key pillar.
Internal audit is fundamental to good governance and sustained long-term performance. Internal audit, properly resourced and positioned, provides objective assurance on the adequacy of the
organisation’s system of risk management and internal controls. This can result in a more efficient and effective organisation and, more importantly, an effectively governed organisation.
The need for this objective assurance is particularly pertinent when the span of control, size and complexity of the organisation increases. Most experienced directors would insist that internal audit is a vital tool for fulfilling their duties as directors.
- Reporting Lines – The Banking and Financial Services Royal Commission should ensure that the reporting line for the head of internal audit is appropriate.
It is recommended that the internal audit function be ‘organisationally’ independent (of management) and report directly to the Board through the chair of the audit committee and administratively report to the chief executive.
4 APRA Prudential Standard CPS 220, Risk Management, paragraph 9 (b)
5 Financial Reporting Council The UK Corporate Governance Code, July 2018, p 4
Stronger controls need to be in place to ensure that the head of internal audit can report directly to the chair of the audit committee without fear or favour.
- Clear accountability for risk management and internal controls – Risk management and sound internal controls are a fundamental element of good management and governance, but too often are secondary considerations relative to short-term performance. The absence of clear accountabilities for risk management and internal controls can lead to this area not being given the priority it deserves. It should be clearly established that senior management is responsible for risk management and internal controls. The internal audit function is best placed to independently review and advise on risk management and internal controls provided by management. But management retains accountability.
- Better protection for internal auditors – Under the Corporations Act 2001, an external cannot be obstructed in carrying out their duties. Under section 311 an auditor in the conducting an audit must advise ASIC if there is a breach, and under section 1310 “a person must not obstruct or hinder ASIC or any other person in the performance or exercise of a function or Power under this Act”. Yet an internal auditor can be hindered or obstructed in their duties without the same protections. There is a need for consistency across all regulations and across the financial services sector on how internal auditors can be better protected when performing their work.
- Standards governing internal auditing – For internal auditors to do their best work, most ably support their organisation and inspire stakeholder trust and confidence, they must adhere to a set of principles-based, internationally applicable requirements for the practice of internal auditing. Following the International Standards for the Professional Practice of Internal Auditing (the Standards) helps internal auditors to function consistently at a peak level of competence and deliver risk-based, objective and strategically aligned assurance, advice and
External auditors are required to follow legislated standards issued by the Auditing and Assurance Standards Board (AUASB), but internal auditors are not required to follow any legislated standards.
The Standards should be mandatory for anyone conducting internal audit work. IIA-Australia is concerned that many internal auditors who practice within the financial services industry may not be applying these standards of professional practice, which incorporates requirements for ongoing quality assurance, and an improvement program including external quality assurance reviews.
(d) Internal auditors who are suitably qualified – At the present time there are no prescribed qualifications in legislation or regulations in Australia for those who practice internal auditing. This is a major risk for company directors who rely on internal audit to help meet their ‘duty of care’ to their organisation. The heads of internal audit for financial institutions need to be suitably qualified themselves or have access to someone who is.
Well-run organisations, in all sectors around the world, recognise internal audit as being fundamental to good governance, and the contribution it makes to effective organisational governance and sustained long-term performance. 6 7
Internal audit is the primary governance activity in an organisation with the scope, remit and independence to give a view which is independent from management. Its focus on governance, risk and control also acts as a strong catalyst for change when change is required.
The need for organisationally independent and objective assurance is particularly important when the span of control, size and complexity of the organisation increases. Rapidly changing enterprises also require assurance on the adequacy of their systems and processes as they respond and evolve. Given the rate of change being experienced by organisations today, most experienced directors would insist that internal audit is a vital tool for fulfilling their duties as a directors. 8
In Australia, we are witnessing the effect that the absence of strong corporate governance and culture can result in increased share price volatility and a discount to net tangible assets, undermining returns to shareholders.
“Top companies with bad culture have underperformed the ASX200 by close to 20 per cent over the past five years, according to new research by governance firm Regnan. Companies with good culture have outperformed the rest of the ASX200 by more than 30 per cent over the same period, the
research concludes.” 9
A number of issues have arisen in the Banking and Financial Services Royal Commission, which reinforces the important role the internal auditor can play in governance structures. The APRA Prudential Inquiry of CBA highlighted failures in reporting structures, internal audit reports not being acted upon by management, and the Board Audit Committee not communicating the true state of affairs to the CBA Board.
The submission will outline the following key issues confronting the industry, and some possible solutions to address gaps in practice, which may strengthen the ‘governance eco-systems’ in the Australian Banking, Superannuation and Financial Services Industry.
Key Issues and Recommendations
(a) Reporting Lines
Key issue: Internal audit should be structurally independent and free from coercion by management to be effective in its role. Functional reporting to the Board through an appropriately constituted audit committee on key issues ensures that the head of internal audit is able to report objectively without fear or favour.
6 Institute of Internal Auditors – Australia, Policy Agenda, Principle 1, p 4.
7 Financial Reporting Council Guidance on Board Effectiveness: July 2018 Pages 8 & 31.
8 Policy Agenda, Principle 1, p 4
9 Australian Financial Review, 23 April 2018
Currently, the ASX Corporate Governance Council Principle 7.3 in the Commentary – states “If a listed entity has an internal audit function, the head of that function ideally should have a direct reporting line to the board or to the board committee to bring the requisite degree of skill and independence and objectivity to the role.” 10
APRA Prudential Standard 510 at paragraph 88 states “an internal auditor must have a reporting line and unfettered access to the Board Audit Committee”, and at 91 “to fulfil its functions, the internal auditor must, at all times, have unfettered access to the institution’s business lines and support functions.” ASIC Information Sheet 221 states that internal audit should be independent from management, and “should report directly to the audit committee rather than management”.
Notwithstanding these statements, the internal auditor has no regulatory or legislative powers to enforce his rights to information within a business. Nor is the internal auditor protected under the law should he/she disclose information that may embarrass management.
Safeguards need to be developed because the head of internal audit could be removed, placed under duress, censored or have their scope and resources reduced by management. There are limited protections for the head of internal audit.
There is a symbiotic relationship between the audit committee and internal audit. A strong working relationship with the audit committee is vital to internal audit performing its role effectively. It also allows the audit committee to drive internal audit in meeting its expectations.
IIA-Australia believes that legal safeguards are necessary to protect the internal audit function and that these should include:
- That the hiring and firing of the head of internal audit should be a decision reserved by the governing body (the board) on recommendation of the audit committee.
- That the remuneration of the head of internal audit should be a decision reviewed and endorsed by the audit committee of the board (and not senior management).
- That the scope for internal audit should be a decision reserved by the audit committee on the recommendation by the head of internal audit, and the budget reviewed and endorsed by the
- That all internal audit work should be required to be reported to the audit committee and the audit committee should periodically request confirmation that all reports have been tabled.
- That the key results of all internal audit work should be reported to the audit committee and the audit committee should periodically request confirmation from the head of internal audit that all material matters resulting from internal audit work have been reported to the audit committee
- That throughout the year the chair of the audit committee and annually the audit committee as a whole should meet privately with the head of internal audit without management
- That at least annually, the audit committee should advise the board whether or not they have satisfied themselves that the internal auditor is appropriately positioned and adequately resourced; that the work of the internal auditor is being conducted in conformance with the
10 ASX Corporate Governance Council Principles and Recommendations, 3rd Edition, p 30
International Standards for the Professional Practice of Internal Auditing; that they have satisfied themselves that the internal auditor has not been impeded in their work; and, that management has responded appropriately to internal and external auditor representations.
(b) Risk Management
Key issue: Risk management and internal controls are fundamental elements of good management and governance, but too often are secondary considerations relative to short-term performance.
The maturity and scope of risk management and internal control frameworks across various organisations can be highly variable. As approaches to risk management and internal controls continue to evolve, many of these approaches are still inconsistent across and within sectors.
The absence of clear accountabilities for risk management and internal controls can lead to this area not being given the priority it deserves. There have been too many examples of this in recent times, and where calls for greater focus have fallen on deaf ears.
The absence of a thorough review of these areas by an independent party can mean that undue reliance may be placed on the organisation’s risk and control frameworks. Internal audit is best placed to undertake this review.
While organisations may look to internal audit for advice and assurance on the risk management framework and system of internal control, accountability for design and operation of these should remain with management (not internal audit). Organisations need clear accountability for risk management and internal control.
- That internal audit independently review and advise the audit committee on the statements on risk management and internal control provided by management.
(c) Legislative reforms
There are a number of possible areas for reform, such as better protection for internal auditors, and the adherence to the International Standards for the Professional Practice of Internal Auditing (the Standards).
Protection for Internal Auditors
Key issue: Under the Corporations Act 2001, an external auditor cannot be obstructed in carrying out their duties. Under section 311 an auditor in the conducting an audit must advise ASIC if there is a breach, and under section 1310 “a person must not obstruct or hinder ASIC or any other person in the performance or exercise of a function or Power under this Act”. Yet an internal auditor can be hindered or obstructed in the performance of their duties without the same legislative or regulatory protections. Nor are there any legislative rights to access information for an internal auditor.
External auditors provide assurance around the reliability of a company’s financial statements at a point in time over a short period of the year. Internal auditors, on the other hand, investigate on all aspects of a company’s operations over the whole year and are more likely to detect wrongdoing.
The Commonwealth Parliament is considering Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017, which has had its first reading. Under section 1317 AAA eligible whistleblower section (c) may apply to internal auditors who provide services to a firm, or an individual internal auditor who is an employee of the firm.
This Bill, if passed by Parliament, may provide some protection to internal auditors. But it does not address access to information and protection from obstruction and hindering.
- That protections that exist for external auditors in the Corporations Act 2001 be extended to include the work performed by internal auditors.
Internal Audit Standards
Key issue: Individuals are able to hold themselves out as providing internal audit work without: (1) being a member of IIA-Australia, (2) attending relevant training, (3) complying with global Standards, or (4) being certified or qualified to practice.
The International Standards for the Professional Practice of Internal Auditing (the Standards) issued by the International Internal Audit Standards Board, is the only set of standards that are available to be applied to those practicing internal auditing in Australia.
The Standards are developed and maintained by the International Professional Practices Framework Oversight Council. It comprises the International Federation of Accountants, the US National Association of Corporate Directors, International Organization of Supreme Audit Institutions, the Organisation for Economic Co-operation and Development (OECD), the World Bank, and the global Institute of Internal Auditors. The Oversight Council is designed to evaluate and advise on the rigor of the Standards and the guidance-setting process, which increases the relevance of the Standards to internal audit stakeholders around the world.
The ASX Corporate Governance Council (ASX CGC) includes the internal audit function in its Recommendation 7.3, and soon to be incorporated in Edition 4 part (a) reference to the Standards.
The basis for the ASX CGC adopting references to the Standards is that there are no standards issued by the Auditing and Assurance Standards Board (AUASB) that apply to internal audit.
ASIC in its Information Sheet 221 also references the Standards.
APRA Prudential Standards CPS 220 on Risk Management and CPS 510 on Governance do not reference the Standards for internal audit. This is an omission by APRA, as it effectively allows people who practice internal auditing in the financial services sector to do so without any adherence to professional standards.
Currently, the AUASB only issues standards that relate to external audits of financial statements.
IIA-Australia contends that the AUASB has the power to make auditing standards on assurance matters under section 227B of the Australian Securities and Investments Commission Act 2001. The
functions of the AUASB are outlined under section 336 of the Corporations Act 2001 for the purposes of the Board under the Act under section 336 (1) (b) is “to formulate auditing and assurance standards for other purposes; and (c) to formulate guidance on auditing and assurance matters, and, in the manner of making and formulating, the AUASB may make or formulate an auditing standard by issuing the text of an international auditing standard.”
The AUASB can be directed to adopt any standard it sees fit that applies to auditing including prescribing an existing standard.
- That the AUASB be directed to endorse the International Standards for the Professional Practice of Internal Auditing as issued, and updated from time to time, by the International Internal Auditing Standards Board.
- That APRA Prudential Standard CPS 510 require internal auditors to adhere to the
International Standards for the Professional Practice of Internal Auditing.
(d) Internal Audit function
Key issue: The internal audit function is not included within Commonwealth legislation. The ASX Corporate Governance Council Principle 7.3 acknowledges the internal audit function in a ‘if not, why not’ capacity for listed entities. APRA Prudential Standard on Governance 510 does include an internal audit function, but also allows exemptions, and it also states the “alternative arrangements for an institution where APRA is satisfied that they will achieve the same objective”. It is not clear
what “alternative arrangements” the regulator would consider in place of an effective internal audit function.
ASIC Information Sheet 221 on Internal Audit does reference the internal audit function and the
International Professional Practices Framework (IPPF) which contains the Standards.
There should be consistency with respect to the internal audit function and use of the Standards
across the regulators.
- That APRA Prudential Standard CPS 510 require internal auditors to adhere to the
International Standards for the Professional Practice of Internal Auditing.
“Suitably qualified” – internal auditors
Key issue: To ensure quality and consistency of work, external auditors are required to have certain qualifications to practice and ensuring that standards are followed. This is enshrined in the Corporations Act 2001. However, this is not the case for internal auditors.
Many individuals claiming to practice as internal auditors do not have appropriately recognised internal audit qualifications. This should be a concern for financial institutions as it impacts on the quality and comprehensiveness of internal audit work performed.
The ASX Corporate Governance Principles, APRA’s Prudential Standard 510, and ASIC’s Information Sheet 221, do not cite what constitutes “suitable qualifications” for internal auditors.
There are a number of ways to be suitably qualified. It should be stressed that an accountant or external auditor, for instance, does not make an internal auditor.
The public sector has moved faster in identifying suitable qualifications for internal auditors. For example, the Financial Accountability Act handbook in Queensland, states that accountable officers nominate an appropriately qualified person as head of internal audit. Information Sheet 2.6 Head of Internal Audit states “mandated minimum qualifications” include being a Professional Member of IIA-Australia (PMIIA). Professional members do hold specific internal audit designations or qualifications.
All NSW Chief Audit Executives must have “appropriate professional qualifications” or demonstrate high-level experience. The footnote in TPP 15-03 page 24 cites “Appropriate professional certification might include those, which would be recognised by the Institute of Internal Auditors, CPA Australia or Institute of Chartered Accountants.
Under Victorian Treasurer’s Standing Directions 126.96.36.199 (d) the internal audit function has to have “suitably experienced and qualified” internal auditors. Guidance documents supporting the Standing Directions issued by Treasury state that internal auditors must have a professional designation such as membership of IIA-Australia, which is not mandatory but a “relevant qualification”.
The Australian National Audit Office Internal Audit Best Practice Guide (2012) references internal audit and “it is generally expected that individual internal audit staff will be members of the Institute of Internal Auditors and/or other relevant professional associations such as CPA Australia.”
It should be noted that being a member of CPA Australia or another professional accounting body does not mean that they are qualified to practice as an internal auditor.
In respect to academic qualifications, and by way of example, under section 1280 of the Corporations Act 2001 – registration of (external) auditors, an applicant must pass a three-year accountancy
course or commercial law including company law (two years). When assessing “Prescribed Courses” the Corporations Act section 1280 – is supported by Corporations Regulation 9.2.03 which refers to courses offered by Institute of Chartered Accountants, CPA Australia and the Institute of National Accountants, and Auditor and Assurance courses offered by the University of New England.
A consistent set of recognised academic and professional qualifications for internal auditors could be included in Prudential Standards, ASIC’s Information sheets, and ASX Corporate Governance Principles. Doing so would cover all entities within the banking, superannuation and financial services industry.
A person who holds the Professional Member of the Institute of Internal Auditors – Australia (PMIIA) designation has been approved as being appropriately qualified in internal auditing. An individual can only obtain such a designation by holding the Certified Internal Auditor® (CIA) certification, offered globally out of the USA, or the Australian government accredited higher education Graduate Certificate in Internal Auditing (GradCertIA) qualification, or whose experience and competence in internal auditing has been assessed by a panel of professional peers.
- That reference be included in APRA Prudential Standards CPS 220 & 510 that require the head of internal audit to be suitably qualified or have access to somebody who is.
- That a Professional Member of The Institute of Internal Auditors – Australia (PMIIA) designation be deemed to meet the “suitably qualified” requirement for heads of internal audit or those who support heads of internal audit.
About the Institute of Internal Auditors
The Institute of Internal Auditors – Australia is the professional body representing approximately 3,200 members of the internal audit profession in Australia.
The IIA is the only professional body dedicated to the advancement of the internal audit profession. It runs an extensive range of programs to ensure that IIA members operate and are able to operate at the highest standards.
- The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards) set the minimum standards for internal auditors All IIA members are required to comply with the Standards under the IIA’s by-laws.
- The Standards require all internal audit functions to demonstrate compliance with the Standards through a quality program with independent valuation every five years.
- The international certification for internal audit is the Certified Internal Auditor® This certification ensures a base level of competence required to perform and sign off on internal audit work.
IIA-Australia also offers the Graduate Certificate in Internal Auditing (GradCertIA). It is a higher education qualification accredited by the Australian government’s Tertiary Education Quality
Standards Authority. It also ensures a base level of competence required to perform and sign-off on internal audit work.
Mark Harrison Peter Jones
President Chief Executive Officer
30 August 2018 30 August 2018
Appendix A – Key definitional differences between external audit and internal audit
External audit and internal audit often use the same terms when communicating with audit committees and the board. However, the meaning of such terms is often fundamentally different within the context of their specific activity. This appendix sets out some commonly used terms that may have different meanings.
|Commonly used term||External audit usage||Internal Audit usage|
|Assurance engagement/ services||An engagement in which an assurance practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. There are levels of assurance provided by assurance engagements/services namely limited or reasonable assurance.
Reasonable assurance provides the greatest degree of assurance to users.
|An engagement involving objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.|
|Independence/ Independent||Ensuring an objective mindset, avoiding appearance and/or perception issues and avoiding conflicts of interest occurring. Practitioners are required to comply with this definition. Professional services firms and the members of an external audit engagement must be independent of the client, considering such factors as the scope of services the firm provides to the client, as well as the employment history and personal financial holdings of the engagement team and others in the firm.||The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. This refers to organisational independence or the hierarchical and reporting independence of the internal auditors from those whose work they are reviewing.|
|Internal audit||The internal audit function means a function of an entity that performs assurance and consulting services designed to evaluate and improve
the effectiveness of an entity’s
|Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organisation’s operations. It helps an organisation accomplish its
|Commonly used term||External audit usage||Internal Audit usage|
|governance, risk management and internal control processes.||objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.|
|Fraud||An intentional act by one or more individuals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage.
External audit will (a) identify and assess the risks of material misstatement of the financial report due to fraud; (b) obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud; and (c) respond appropriately to fraud or suspected fraud identified during the audit.
|Any illegal act characterised by deceit, concealment, or violation of trust.
These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.
Internal audit is directly concerned with the prevention of fraud in any activity undertaken.