Reuters has a story out today entitled, “Regulators tighten up bank in-house checks.”
Unfortunately it does nothing to illuminate, in fact it distorts, the role of internal audit, external audit and the Audit Committee of the Board of Directors in a bank. Just another example of the lack of understanding by most major media journalists of these functions and their roles in the capital markets and regulatory infrastructure.
I’ve written many times about why this happens. It’s not for lack of trying or desire for doing the right thing by the individual journalists. They have no time or encouragement to learn. The editors often know even less and make journalists simplify and dilute exact terms that accurately describe roles and responsibilities in the law in the interest of “readability” and mass market appeal. Some of them have no desire to understand these activities.
Here’s my response since I could not, for some reason, post a comment at Reuters.
Dear Reuters: This story is a hot mess and unfortunately does nothing to raise awareness of the role or responsibilities of internal auditors. For example, why the use of “so-called” in the second paragraph? It implies a pejorative.
Ummm, that’s what the function is called. Internal Audit.
And was the function “discredited in the financial crisis where there were clear lapses in managing risks” or is it that the internal audit profession, “largely escaped fallout from the financial crisis which mostly hit regulators, credit rating agencies and external auditors.”
I think the fallout on external auditors was very late and still sorely lacking as they have scooped up all the work for government addressing the problems that occurred. They also got away with not issuing any “going concern” warnings to qualify the financial statements of all the banks that failed, were bailed out, were forcefully acquired due to insolvency or went bankrupt in the US or UK as a result of the crisis. Taxpayers paid but were not warned in advance.
Did the “U.S. reform of Wall Street, known as Dodd-Frank” put responsibility for implementing the reform on a bank’s internal audit committee.” ?? I don’t recall anything like that. There was no mention of the Audit Committee of the Board of Directors but there was mention in Dodd-Frank of requirements for risk committees for banks. Those standards have been written by the Fed. Dodd-Frank didn’t mention external auditors or internal auditors once. Instead, Sarbanes-Oxley was the law that, at least for the US, drew the line between services external auditors could provide to their clients – internal audit co-sourcing or outsourcing is now prohibited – but the UK has unfortunately not adopted that restriction. In fact, the UK has allowed the conflict to proliferate in the name of cost savings.
“There is no direct supervision of internal auditors…” except by management and the audit committee of the board of directors to whom the Chief Internal Auditor is encouraged to have a direct line of reporting by Sarbanes-Oxley.
Listing standards for the NYSE require an internal audit function. NASDAQ where most new tech IPOs like Facebook are listed, does not. Back in 2003, the Institute of Internal Auditors (IIA) made recommendations post- Sarbanes-Oxley that were adopted for the most part by NYSE, but not completely by NASDAQ. And both the NYSE and NASD left a few key recommendations hanging.
In addition, the IIA has never mandated, under its own standards for the internal audit profession, a direct reporting of the internal audit function to the independent Audit Committee. The SEC did not adopt this requirement in their final rules, either.
If you have any questions on how to make these corrections, you can find me at https://francinemckenna.com
You may want to read my column in American Banker about risk committees in banks.