The Basel Committee on Banking Supervision issued a consultative paper on the internal audit functions in banks comprising of 20 principles. This is a revision of the 2001 document and aims to promote a strong internal audit function and supervisory guidance of the function in banks. This is definitely a step in the right direction, however it still fails to address some of the critical issues apparent during the financial crises. Below are some of my observations that may help the function to become stronger and more effective. I am being a devils advocate out here and invite you to debate with me on these aspects.
1. Independence and objectivity of internal auditors
Principle 2 of the paper covers independence and objectivity of internal auditors. Point 15 mentioned below discusses the remuneration of internal auditors.
“The independence and objectivity of the internal audit function may be undermined if the staff’s remuneration is linked to the financial performance of the business line for which they exercise internal audit responsibilities or to the financial performance of the bank as a whole.”
My contention is that internal auditors within the organization can never be fully independent as their job, salary and bonuses are decided by the CEO/CXO. However, internal auditors/ risk managers face the dilemma of getting appraised at year-end for being good critics of the decisions taken and work done by CXOs/CEO. Hence, there is high possibility of being unfairly appraised on issuing strong reports. Senior managers may turn vindictive. This impacts independence as job, salary and bonus is dependent on senior management feedback.
The second aspect is about how internal auditors/ risk managers should be given bonus. Should they be given stock options like other employees? The committee paper “Principles of enhancing Corporate Governance” states –
“Banks should take other steps to better align compensation with prudent risk taking. One characteristic of effective compensation outcomes is that they are symmetric with risk outcomes, particularly at the bank or business line level. That is, the size of the bank’s variable compensation pool should vary in response to both positive and negative performance. Variable compensation should be diminished or eliminated when a bank or business line incurs substantial losses.
Compensation should be sensitive to risk outcomes over a multi-year horizon. This is typically achieved through arrangements that defer compensation until risk outcomes have been realised, and may include so-called “malus” or “clawback” provisions whereby compensation is reduced or reversed if employees generate exposures that cause the bank to perform poorly in subsequent years or if the employee has failed to comply with internal policies or legal requirements.”
Now my question is, if it is later discovered that internal audit function failed to identify some control lapses and risks that resulted in huge financial losses to the bank, should their bonus/stock options be reduced subsequently? My view is yes, if they are receiving stock options and failed, then they should be withdrawn. However, if possible their compensation should not have a high variable component.
Lastly, rotation of internal auditors, a point that I consider relevant for maintaining independence is not covered in the paper. Depending on the size of the bank, internal audit function key staff should be rotated to other subsidiary organizations or different functions every 3 to 5 years. Here the logic is same as applied to external auditors, with deepening business relationships objectivity may be compromised.
2. Regulatory Compliance for Capital Adequacy and Liquidity
Principle 7 mandates that “internal audit function should ensure adequate coverage of regulatory matters within the audit plan.” One of the critical points covered relates to capital adequacy and liquidity assessment. The scope of audit should check compliance to regulatory framework and assess the adequacy of capital resources in relation to bank risk exposures and minimum ratios.
From a banking perspective I believe this is the crux of ensuring applicability of going concern concept for banks. As seen from the financial crises, the banks that failed basically had insufficient liquidity.
My argument here is about what happens when internal audit function does mention the problems in the report. Let me take the case of RBS failure. RBS faced liquidity crunch as the CEO had taken a strategic decision towards “capital efficiency” due to which it heavily relied on wholesale funding. As per the report “the main weakness was the firm’s use of a 96% confidence interval in its assessment of how much capital it should hold, rather than the ‘standard’ 99.9%.” Secondly, the Supervision team was “concerned that the firm was underestimating the amount of capital that should be held.” The internal audit report also highlighted a few weaknesses relating to capital adequacy. A long term plan was developed to improve capital adequacy, however no change in capital efficiency strategy was envisaged.
Now my question is, in this scenario where internal audit function highlights key gaps and the same are ignored, what should be done? The FSA report on RBS failure states that no legal action can be taken as –
“There is neither in the relevant law nor FSA rules a concept of ‘strict liability’: the fact that a bank failed does not make its management or Board automatically liable to sanctions. A successful case needs clear evidence of actions by particular people that were incompetent, dishonest or demonstrated a lack of integrity.
Errors of commercial judgement are not in themselves sanctionable unless either the processes and controls which governed how these judgments were reached were clearly deficient, or the judgements were clearly outside the bounds of what might be considered reasonable. The reasonableness of judgments, moreover, has to be assessed within the context of the information available at the time, and not with the benefit of hindsight.”
According to the report, if senior executives ignore the internal audit reports and thus the firm suffers huge losses and goes bankrupt, they are not really legally liable. In my view, this is a flawed approach and encourages high risk taking since there is no downside to bad decisions.
My suggestion might raise a few eyebrows, nonetheless I think it is required to avert further financial crises. A few penal clauses should be incorporated in the guideline that ensures high risks/ control gaps are addressed by senior management. If senior management/board chose to ignore high risks they can be penalized by removal and/or not getting a similar position in any other bank.
3. Review of Internal Audit Function by Board
Principle 9 mentions responsibilities of board of directors and senior management in respect to internal audit function. Para 43 states that –
“At least once a year, the board of directors should review the effectiveness and efficiency of the internal control framework based, in part, on information provided by the internal audit function.”
My contention is that an annual review is too little. Keeping in view the dynamic banking environment and global impact review of internal control framework for banks should be done quarterly. If not, at least it should be done half yearly.
Additionally, para 72 states that –
” Supervisory authorities should receive periodically (e.g., on an annual basis), or upon request, the main internal audit findings and recommendations as well as the corrective measures taken or to be taken in response to the weaknesses identified, in the same way the audit committee is informed.”
My view is the same here, it would be best to review the observations and weaknesses quarterly. An annual review would be historic and no corrective action would be possible.
4. Impact on bank’s Risk Profile
Principle 19 states that “supervisory authority should consider the impact of its assessment of the internal audit function on its assessment of the bank’s risk profile and on its own supervisory work.” In para 92 it further adds –
“Where remedial actions cannot be agreed upon or where the bank faces ongoing delays in remediating the identified weaknesses, the supervisory authority should consider the impact of this on the bank’s risk profile.”
A good example of this case is the CitiBank Rs 400 crore fraud (USD 76 million) conducted by employee (now ex) Shivraj Puri. The fraud case was filed with Gurgaon police in 2010. An internal report of Citi Security and Investigative Serivces (CSIS) was submitted five months earlier before the date of police case filing. Moreover, unusual activity in Shivraj Puri and his wife’s account was detected in its initial stages in 2008 by fraud risk management team. The media report states that senior officials were aware of it, were involved in discussions, however did not take any action.
My argument here is the same as given in point 2. If there is failure to act on high-level risks, specially fraud risks, senior management/board can be treated as accomplice to the fraud. Hence, the guideline should include a few penal clauses on failure to respond timely on identified risks and control gaps.
The framework fortunately does not subscribe to the COSO definition of internal controls and covers strategic risks. It also provides detailed guidelines on a number of aspects, including outsourcing of the function and managing the function in subsidiaries.
However, my view is that the guideline should be more stringent and include a few penal clauses. This might raise questions, as the guideline cannot replace the laws of the country. I understand that, so even a recommendatory guideline would be helpful. The logic behind this suggestion is that financial crises occurred due to bad decisions and high risk taking. It is unlikely that internal auditors/ risk managers of the banks were entirely clueless about the high risks. In all probability management chose to ignore those warnings hence the crash. Therefore, to avoid a similar disaster some measures need to be incorporated to ensure that management/board cannot override high impact risks that exceed the risk appetite/tolerance of the bank without being personally laible and accountable.