The Basel Committee on Banking Supervision’ s most recent consultation document – Corporate governance principles for banks – sometimes erroneously describes internal audit as a control function of banks, says the European Confederation of Institute’s of Internal Auditing (ECIIA) in its response to the paper.
This misunderstanding could seriously undermine internal audit’s ability to provide banking boards with objective assurance on the effectiveness of their risk management systems.
“It is essential for the document to reflect that internal audit is the only independent function for the board that can oversee all other functions and so provide boards with the assurance they need,” ECIIA President Thijs Smit says. “In some paragraphs of the current draft, control functions such as risk and compliance are given the same status as internal audit.”
While the paper recognises the importance of internal audit’s role as an assurance provider, it fails to distinguish its unique oversight position in the three lines of defence model that the consultation document adopts.
“As this document will have a core status of reference for the banking sector in Europe, it is vital to have a common view and understanding of the internal audit function as the third line of defence and how it differs from the other lines,” Smit says. “Our comments aim to help clarify the role and function of internal audit and to remove any potential confusion.”
The Bank for International Settlements, which established the committee, published the proposed guidelines in October 2014. The new recommendations build on the committee’s 2010 paper Principles for enhancing corporate governance.
Among other things, the committee wishes to strengthen the guidance on risk governance, including the risk management roles played by business units, risk management teams, and internal audit and control functions; underline the importance of a sound risk culture to drive risk management within a bank; and expand the guidance on the role of the board of directors in overseeing the implementation of effective risk management systems.
For ECIIA’s letter to Basel committee, click here.
For ECIIA’s detailed response, click here.
For the committee’s proposals, click here.