fa95561bb46c46f199d44bebb15304f7

Annual Corporate Budgeting - is it the most ineffective practise in management?

Fri, 20 Jun 2025 12:52:19 GMT

Annual corporate budgeting process – is it one of the most ineffective practises in management?

Why?

Hidden opportunities
Stunts growth
Unproductive behaviour

You need financial planning, just not in the way it’s mostly done!

What should it entail?

Align employees with shareholders
Put growth, energy, fun into financial planning and inspire people to stretch.

Trust and candor are needed for it to work.

What usually happens?

Budget meetings usually go two ways:

1. Operations – devise budget. Assumptions have one goal – minimise risk and maximise bonus. Goals can absolutely be hit. Most companies reward for hitting budgets.

Senior management – rewarded for increased earnings. They want significant growth in sales and profits.

At the big budget meeting – both state their cases to support their arguments. After a marathon meeting, both look for a negotiated settlement. Both think that they have gotten something they can bear with.

2. Operations present budget with lots of interesting ideas and leave the meeting. After the meeting closes senior management decide on their own how much the business really gets. Management believes decision making is at HQs only.

Where can there be better focus and efficiency?

Link to strategic planning process and focus on:

How can we beat last year’s performance?
What is our competition doing and how can we beat them?
Come up with growth scenarios.

Compensate individuals and businesses that are not linked to performance against budgets. But link to performance against last year and against competition, taking real strategic opportunities into account.

Internal audit can review the budget process for linkages to strategic objectives and vision, input from departments that look to stretch their capabilities, how they can help achieve corporate’s strategic goals and how they process can be more efficient with best practises.

If you would like to see how your internal audit can add value to the budget process, please reach out to us.

Continuous Risk Assessment (CRA) and use of Data Analytics

Fri, 13 Jun 2025 13:17:50 GMT

Using data to identify emerging risks and significant changes to known risks can be used within the risk assessment, planning, testing and reporting phases of the audit cycle that can provide valuable insights that can help mitigate risks. Our focus in this article would be data analytics in continuous risk assurance. Most established internal audit departments would have some form of CRA. However, this guide can help refresh its purpose and provide an overview for those new in internal audit.

How to have a high impact audit

Modern internal audit methodology goes further than the traditional model that provided basic recommendations to fix issues that were identified. This is done by not only suggesting solutions but also evaluating them and providing a view of the cost-benefit analysis and whether it is worth it.

Continuous Risk Assessment Overview

A continuous risk assessment process enhances internal audit’s impact and innovation by providing timely risk and performance insights regarding the company. By assessing the company’s operations, internal audit can develop a set of key risk indicators (KRIs) across key categories. These indicators should be readily available, easy to compute and understandable. These can then be used for comparison and inform audit planning. Access to systems and MI can be fed into data models to generate the metrics and whether they are in tolerance.

As an example, for a retail and commercial bank, the following are a sample of risks and metrics that can be sought:

Finance risk – number of regulatory resubmissions
Conduct – number of complaints, court proceedings, actions taken
Regulatory compliance – number of emerging regulations that impact the bank but no plans in place
Credit risk – number of delinquent customers, number of write-off’s, number of credits underwritten outside of policies

Metrics can be assimilated by getting a better understanding of the business through MI and discussions with management.

Tolerance thresholds can be set for each of the metrics identified. A dashboard can be created giving an overview of what metrics are in tolerance and not. This can then be assessed for areas for audit focus and to generate viable solutions to counter risk. There are data models available or can be custom designed to retrieve data, transfer to metrics, compare to tolerances and create a dashboard.

Using CRA for Issue Identification

The following process can be used for identifying issues using CRA with the help of data analytics:

Identify areas of focus – track risk and performance metrics that align with the overall strategy to understand the performance. Identify audit entities with a risk profile that does not align with performance results. Understand key initiatives, changes in operations at the audit entity.
Generate solutions – using the risk profile and metrics, identify specific areas performing lower than expected results. Develop solutions that would provide positive ROI to management.
Evaluate solutions – test the solutions and refine where required based on results. Discuss with management the test results and whether solutions provide a fair view.
Cost-benefit analysis – calculate cost of implementation and cost of non-compliance. Present a summary of the findings from these steps to management.

Data analysis can highlight to internal audit areas where risks may be elevated. IA can drill down into these to identify the issues and generate viable solutions. The monitoring of these metrics can provide for a process to internal audit of continuous assessment on risk and able to capture emerging risks and adjust the audit plan accordingly where detailed audit is required.

For further information on how continuous risk assessment with the use of data analytics can be useful for your department and provide high impact audits, please reach out to us.

AI use in Credit Decisioning - Internal Audit Risk Considerations

Tue, 10 Jun 2025 16:18:47 GMT

Why the need of AI in credit decisioning?

An individual consumer wanting credit to support a purchase typically furnished couple months’ worth of payslips, bank statements, identification and a credit bureau check. This required the individual to be in possession of the underlying matters e.g. credit history, bank account, a job.

There are several millions that are unbanked in the UK for various reasons, e.g. recently relocated and doesn’t have a bank account or not enough credit history and gets turned down for credit. Banks could be making more money from this relatively untapped market.

With advancements in chip processing power, there are access to more data sources on financial behavioural aspects of personal characteristics that can support credit decisioning which can lead to more credit approvals and provide financial support to consumers.

Where AI is used in credit decisioning?

Access to data sources on consumer behaviours and advanced algorithms designed to assess the applicants probability of payment and default is one of the key uses of AI in credit decisioning in financial services.

This allows access to the ‘unbanked’ consumer which can expand the customer base for a lender. Efficiency can also be improved through automatic approvals with less manual referrals due to enhanced algorithms. Some systems monitor results and fine tunes decision making models which they claim increases accuracy.

Risks within AI in credit decisioning

Most banks create custom models which integrates with their existing loan originations system or replaces the existing. A growing version is AI powered credit decisioning system – Software as a Service (SaaS) basis which integrates with existing loan origination systems with Application Program Interfaces (APIs) and doesn’t require time and cost consuming resources like custom made programs. Therefore, risks associated with these are better understood with detailed system knowledge and models used.

Broader risks associated with AI in credit decisioning are:

Data source integrity – where does the data originate from, where can there be biases within here, age of the data, completeness and accuracy checks from the provider and the user.
Access to the ‘unbanked’ – where individual has limited or non-existent financial information and behavioural data from the wider society is used similar to the individuals circumstances, how much of a ‘success’ in the ability to pay is there within the model design and how much of this risk is acceptable for the banks strategy and risk appetite.
How does the model monitor performance of consumers credit and ‘fine-tunes’ the system to improve credit worthiness
Does the applicant know that AI is used for credit decisioning and for what aspect. An application that is turned down due to an aspect of AI could have an impact on its credit history.
What metrics or periodic testing is performed by the 1st and 2nd line to ensure there isn’t a bias being generated within the credit decisioning models.

How we can help

It is an important step to start to map out in a process diagram how the credit decisioning system works, highlighting in particular where AI is used in the control process. An assessment of where there is greater risk within the process should be then undertaken. A greater understanding of AI’s use in credit decisioning can be achieved by using these starting points. In addition, best practise adopted within the industry can provide valuable insights in to risk management.

To see how we can develop and support your audit needs on this subject, please reach out to us. We not only form part of the audit team to provide our experience, insights and knowledge but we also collaborate with the audit team so that they can benefit and lead on similar projects in the future.

SVB's Collapse: Lessons for Internal Audit

Fri, 06 Jun 2025 09:39:35 GMT

Silicon Valley Bank (SVB), was a regional bank based in northern California, USA. Its customer base involved high net worth individuals, tech companies and venture capitalists. It typically made customers sign exclusivity clauses, meaning SVB would be the customers sole banking partner.

SVB had significant growth in deposits as customers were awash with capital. The Bank decided to invest these deposits in long-dated US government bonds with typical rates yielding 0.5-2.5%. The Bank decided not to increase its loans products using its deposits to obtain a long term rate of return, perhaps as many of its customers were wealthy. Approximately 50% of its assets were in US government bonds.

SVB collapsed in almost two weeks in March 2023. What were some of the reasons why it collapsed so suddenly and what lessons can be learned, especially for internal auditors.

1. Concentration risk – SVB’s customers were based in the northern California region with a customer base as mentioned above. Although regional banks focus on a particular geography, not all focus in a single sector – venture capitalists backing tech and healthcare sectors. These sectors are highly volatile. This can have a profound negative effect on the bank should, or when, these sectors have a downturn.

2. Asset allocation – the sectors mentioned above had a huge boom between 2019 and 2022, which led to substantial increase in deposits held. Most banks would use these deposits to provide loans to customers that would have long term maturities at a decent rate of return. Instead, SVB used most of the deposits to invest in long-dated US government bonds. It perhaps thought this was risk-free investment. These assets were held in its books using the ‘hold-to-maturity’ basis, meaning these bonds would not be sold before their maturity dates and therefore they do not need to be revalued as the market prices for bonds fluctuate.

As the US central bank, the Federal Reserve, increased its interest rate substantially in a short time frame to battle inflation, this led to the market prices for the US government bonds to decrease. The bonds held by SVB were not revalued as they were held to maturity, but the actual market value of those bonds were significantly down. If there was sound governance with an efficient ALCO (Assets and Liabilities Committee) at SVB, they should have saw the early warning signs from the market and perhaps decided to sell off some of its bonds. Instead, more bonds were bought.

Word spread fast that SVB’s high levels of bond holdings actual value has significantly decreased. With perhaps customers doubting the level of confidence in SVB’s business model and its management, decided to withdraw its deposits. With the ease of online banking, a substantial amount of deposits were withdrawn. To meet the level of withdrawals, SVB now had to sell the bonds. Consequently, these bonds could not be held to maturity and were revalued to market rates, which resulted in significant write-downs in its value. This sent further jitters and led to further withdrawals of deposits.

More than 94% of SVB’s depositors had deposited more than $250,000, meaning that not all of the amounts would be insured by the FDIC if it became insolvent.

Deposits are a key source for many banks’ funds. However, banks mainly use these funds to make loans, such as commercial loans (one year) to mortgages (up to 30 years). The asset and liability mismatch requires careful management and monitoring, which doesn’t appear to have happened at SVB.

3. High leverage – most banks have a business model that pay depositors a small rate in order to use those funds to operate. Banks lend via loans at rate marginally higher than what they borrow at, thus making a slight spread, which increases as volumes of business increases. Thereby, volumes are key here. They can operate like this on modest equity capital. If the ratio of assets to equity capital is high, this could mean that if there is modest decline in asset prices this can make the banks equity capital insolvent. This is precisely what happened at SVB.

Basel III requires a minimum capital base measured in part by its risk-weighted assets. This measure is based on the credit quality of the bank’s assets. Majority of SVB’s assets were in government bonds, which are considered low credit risk and hence, has a stronger capital base in accordance to the Basel III requirements. The capital base was above the threshold of Basel III’s requirements along with the liquidity coverage. Could the question be asked to the regulator that what good are these measures in preventing an SVB style collapse?

It does seem that the bank’s supervisors were concerned with the level of interest rate risk it carried along with poor risk management. A 10K report showed that unrecognised losses from the asset portfolio were approximately $18 billion (approximately 96% of its capital base). The Chief Risk Officer role was vacant for the majority of the year. All these showed signs of poor risk management and governance at SVB.

4. Adequacy of internal audit – whilst risk management, governance and ALCO were mostly ineffective at SVB, as part of the three lines of defence and the objectivity of the internal audit from the operations management, internal audit should have raised alarm bells. The reason this perhaps did not occur, is that it too had issues of its own.

A letter of concern , written by the Federal Reserve of San Fransisco in December 2022, highlighted that upon its review of internal audit function it was “not fully effective.” The risk assessment process, process to define its audit universe, continuous monitoring process and its audit execution had material weaknesses. An ineffective internal audit function at SVB could be partly blamed for not holding management more accountable and raising early warning flags over its risk management practises.

Although banks can state they hold high liquid assets, in accordance with Basel III requirements, the level of unrealised losses and its increasing risk of actual losses in a state where they need to be sold, should be given more importance. Whilst many banks lobby governments for reduced regulations, it can be said that an effective regulatory environment that continually improves upon the changing risk environment can keep banks in check to a certain extent. Ultimately, the effectiveness of the board and its risk management processes are key to manage the risks of the bank effectively.

Internal audit can provide great value to the governance structure by assessing the effectiveness of the board, ALCO, risk and other key committees and providing best practises adopted in the industry that’s relevant to the size and complexity of the bank. At Dhallu, we have experience of assessing the effectiveness of the board, risk and key committees along with the corporate governance and culture at a bank. For a more in-depth analysis at your company, please get in touch: ravinder@dhallu.com

What is Continuous Monitoring in Internal Audit?

Fri, 30 May 2025 10:24:24 GMT

Continuous monitoring enables internal audit functions to form a holistic view of risks, current and emerging, facing the company. It can provide valuable real-time assurance that can help reduce negative impacts to the company.

What is Continuous Monitoring (CM)?

Continuous monitoring is a program to support the identification of risks with a forward-looking view, both within the company and the internal audit function. It is an effective and efficient method of providing the required assurance across the audit universe. It is also often to support the management committees and Board reporting and oversight.

CM is performed on an ongoing basis, reviewing inherent and emerging risks, the control environment and the audit needs of audit entities within the audit universe. Data is collected from various points such as Committee meeting packs and attendance, business unit management information, internal audit discussions with senior stakeholders, peer reviews. An assessment is made by internal audit whether risks have increased and what audit action needs to be taken.

Internal audit can perform CM across the audit universe looking at the levels such as lines of businesses, functions and regions.

A CM program is considered best practise for internal audit, with standards and guidance issued by the Institute of Internal Auditors (IIA), such as:

Benefits of Continuous Assurance to Internal Audit

CM is an effective and efficient way of providing on-going risk and control assessments for internal audit. One of the main benefits is that it provides deeper understanding of the business and current practises that enables internal audit to identify material risks in a timely basis, so that they can provide real-time assurance, with audit plan adjustments where deeper assessments are required. This can greatly assist senior management and stakeholders to take appropriate actions on a timely basis before negative impacts occur.

Further to this, internal audit can provide timely challenge to business stakeholders on emerging material risks, especially where internal audit attends Committee meetings, to take appropriate actions and provide better governance.

Better visibility of emerging risks can allow internal audit to focus more on these higher risks in upcoming audits or to add to the risk assessment within audit entities.

Reviewing risk profiles across businesses, functions and regions and any changes that occur, can provide for a more informed audit plan, with justifications as to its inclusion due to change in risk profile, and optimal resource allocation.

How to perform Continuous Monitoring?

Internal audit collects and assesses data, such as from the sources mentioned above, continuously throughout a period (often during the quarter). Findings and insights from first- and second-line assurance activities, regulatory pronouncements, macro developments and industry and peer developments should also form a key part. An assessment can be made against key risk categories, for example financial, conduct and financial crime, information security, people risk, credit risk, liquidity and capital, etc. that is appropriate for the company.

Internal audit makes an assessment by considering the need to amend audit focus based on the data gathered and provide an opinion such as audit focus increasing/ decreasing/ stable. The factor causing the increase or decrease should be compared to the audit plan to identify gaps or prioritisations. This is often documented, reviewed and presented to Committees within the Company. The same care and attention given to other audit work and workpapers should be considered as part of CM where real time issues are raised as a result of becoming aware of material issues and significance.

Continuous monitoring is a key program for internal audit which provides effective assurance on emerging risks and better corporate governance. The program should be set up where its importance is highlighted within the internal audit team with a robust structure and framework. If performed with diligence, it provides valuable insights and assurance to senior stakeholders within the Company and greatly assists in delivering internal audit’s mandate.

What is Risk and Control in Internal Audit?

Fri, 23 May 2025 08:13:57 GMT

For a new internal auditor, it can be daunting to be assigned tasks on a audit when you don’t fully understand the concepts of risk and control. This guide aims to help new entrants in understanding these concepts.

What is a risk?

A risk is the possibility of an event (internal or external) occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. There are some risks that are inherent within the business, simply by the industry it’s in.

What is a control?

A control is an action taken to manage a risk whilst achieving a goal (e.g. strategic). Some risks cannot be fully eliminated (unless you exit the business), therefore, management are willing to accept limited risk, which they define within their risk appetite. The control should limit the risk within its appetite.

An effective control is one that is designed effectively to meet its objective and operates in line with no exceptions in achieving its objectives.

There are two popular controls frameworks – COSO and COBIT.

COSO is commonly used within a firm, which is used to assess and manage risks. It has five components for an effective internal controls system:

Control environment
Risk assessment
Control activities
Information and communication
Monitoring activities

COBIT is an IT governance framework guiding firms on aligning IT with business goals, compliance and managing risks. Case studies demonstrating its benefits and uses.

What are the types of controls?

A control can be described in the following categories:

Operational Controls: Operational controls are controls over the initiation, recording, processing and reporting of transactions designed to operate at a level of precision that would achieve the control objectives (Completeness, Accuracy, Validity, Restricted Access) to mitigate one or more relevant risks. Operational controls are generally preventive in nature. They are part of the 1st line of defence.

Supervisory Controls: Controls effected at the management level to oversee the activities of their staff. These controls enable managers to have an overall picture of the risks and adherence to policies and procedures within their area of responsibility. Supervisory controls are usually performed after-the-fact and therefore have a detective character. They are designed to verify the effectiveness of operational controls executed by employees. These controls are part of the 1st line of defence.

Independent Controls: Controls performed by a body or unit within the organisation which is independent from the unit originating the transaction and usually performed after-the-fact with a detective character. Independent controls usually form the 2nd line of defence but can also be performed by control functions within the 1st line of defence.

Governance Controls: Those controls designed to ensure appropriate management of underlying business processes and contribute to the effectiveness of controls.

How do we describe controls?

The control must be designed to address the risk and keep it within its appetite. The design of the control includes certain attributes in performance that helps address the risk. These are:

Scope of the control (global/regions/legal entities/products);
Control location (geographical);
Control type (Operating, Supervisory, Independent or Governance)
Whether it is preventive or detective;
Frequency of operation;
Level of automation (automated/semi-automated/manual);
Reliance on systems or system generated reports;
Business Line, Control Owner and Control Performer;
Risk tolerance (if applicable)

How attributes assist in auditing?

The attributes mentioned above assists the internal auditor in assessing and opining on the design of the control. The following questions can help the internal auditor to assess the attributes of the control:

What - type of control (Operating, Supervisory/Independent, Governance control, automated/semi-automated/manual, preventive/detective) and what is it trying to achieve?
Who - is the business line/control owner/performer, is the department/person(s) appropriate / competent? Is the scope of the control appropriate?
When - does the control operate? Is the frequency appropriate or is it too late (timeliness)?
Why - does this control exist? What is the risk the control is addressing? Is the control responsive to the risk?
How - does the control work and what are the key components (e.g. reliance on systems or system-generated reports)? Is this an efficient / appropriate method? Does the control operate within risk tolerance?
Where - does the control take place and is this appropriate? (Different department or office location, is there segregation of duties)
What if (exceptions handling and escalation) - Is the way exceptions are handled and escalated going to resolve the issue (corrective actions)?
Control evidence - Is the control evidence appropriate to demonstrate that the control operated effectively? (reliability of information)

Example of control description

A daily reconciliation is performed by the finance team between the credit system and the accounting system in order to detect differences between both systems. Every reconciling item above £ 10,000 are investigated by the finance team. The daily reconciliation is produced automatically by the system XYZ. The list of reconciling items is reviewed and cleared by a staff of the finance department, who sign-off physically the reconciliation after performance of the control.

Assessing the attributes

Why – to detect differences between credit and accounting systems

What – reconciliation between credit and accounting systems

How – reconciling item above £10,000 is investigated. The reconciliation is produced automatically on a daily basis by system XYZ.

Who – performed by the finance department

When – daily

Control evidence – sign-off of the review of reconciling items.

What are the risks?

There can be many risks to the type of business, industry it’s in and should be analysed as so. Some of the common broad categories of risks can be bucketed within the following:

Finance – capital, liquidity, funding, accounting, tax, regulatory reporting, payment

Regulatory – financial crime and fraud, conduct, regulatory compliance, legal and litigation, people

Technology and Change – change management, technology and physical asset, cyber and information security

Credit – arrears and write-off, modelling

Operational risk – fraud, recovery and resolution

These risks can be further expanded in relation to the business model of the firm and should be more specific when conducting an audit.

Process versus Control

Internal audit often gets confused when performing audits by reviewing a process against a risk identified rather than assessing the control of the risk.

A process is a detailed step-by-step of what to do. It is focused on the operational steps.

A control is a specific action, that can be a part of a framework, designed to ensure that risk is contained within the level a firm is willing to accept.

If we take an example of a cash reconciliation, the process is the detailed step-by-step of which extracts are taken, spreadsheets to be opened, checked.

A control is the independent reconciliation to identify the out-of-tolerance breaks which are escalated and reported.

What are Effective Methods for Walkthrough’s?

Tue, 20 May 2025 07:28:53 GMT

An effectively conducted walkthrough is a testament to an internal auditor’s skills, experience and knowledge. It is highly effective in delivering strong audit results and providing audit stakeholders the ability to understand and manage risk better, which can have a long-lasting impact for the company.

What is a walkthrough in internal audit?

After assessing the risks to the audit entity, such as in a risk control matrix (RCM) during planning stage of the audit, an assessment of the existence of the controls within the organisation needs to be made to assess whether the risk is adequately controlled. In audit, this is commonly referred to as an assessment of the design effectiveness.

A meeting with the risk or control owner enables the auditor to assess what controls there are to limit the risk. During this meeting, the auditor builds a map of the process flow and assesses where there should be control points as there are heightened risks. A demonstration of the process is made using a transaction, often a past transaction, and results are reviewed. This is referred to as a walkthrough.

What’s the purpose of a walkthrough?

From the risk identified within the RCM, the internal auditor should build a map of how the related process should flow and at what points are there elevated risks. During the meeting with the risk owner, the auditor should understand what controls are in existence from the risk points that were previously assessed. The way the control works should be demonstrated using an example, such as a past transaction. The control owner should be able to explain the purpose of this control and what risk it is limiting or stopping and where it fits in the wider process flow.

How do you effectively follow up on walkthrough explanations?

Prior to a walkthrough meeting, if you have built a map of what the process flow should be and at what points you perceive risks, this gives a tremendous advantage when discussing with the risk or control owner.

Going into a meeting without having done the above, means you would have to ask the owner to describe the whole process during the meeting. Whilst that is being described, the auditor would have to at the same time evaluate the risks and assess whether the control described and demonstrated is adequate to control the risk. Sometimes details can be missed here, which often results in going back to the owner to clarify or ask additional questions. This is not always the most efficient way.

Having done the pre-work before the meeting, can result in better conversations where the auditor not only gets an idea of the process flow but is able to ask questions of how this certain risk, that was thought of in the pre-work, is covered within the process. The auditor should have more “time” to follow up on explanations as they should already have a mental picture of what an ideal control looks like (typically through past experiences or coached by a senior team member) and is better able to understand what the owner is describing.

What is an effective method to discuss control gaps during walkthroughs?

Auditors that understand the risks within the process and understand the controls or lack of controls in existence, should be able to “walk through” with the risk owner by asking what risks do they perceive in this part of the process flow and how should the risk identified be controlled. Afterwards, you can compare whether this is done within the process that you are reviewing.

Engaging the risk owner and deriving answers through this process during a walkthrough, I have found most effective in them realising that there is a control gap. There is less contention as well. The key here is going back to that principle of doing the pre-work. In addition, having that “time” during the explanations by asking the owner of what risks they perceive and “directing” them to the risks that you identified. Then, getting them to dig deep and explain how it should be controlled so there is limited or no risk (based on the company’s appetite), is highly effective in the risk owner accepting control gaps.

Opining on the design effectiveness

After going through the controls in existence and using a past transaction to see it being demonstrated, the key questions now are:

The risks that the auditor assessed, how is the risk being controlled to limit it to the company’s appetite?
Is the design of the control able to limit the risk?
Are there any weaknesses within the control, where risk can be penetrated? What is the probability of this happening?
Could the control be made more efficient, where it uses less resources and time?
Do the control/ risk owners understand where these controls fit in the overall process and what it’s intending to do?

These questions are a baseline for opining whether there are controls and that they are adequately designed to limit the risks that the auditor sees to a level that is acceptable.

In internal audit, walkthroughs are more than just looking at whether a transaction does what it says it does on a process or controls manual. If it is thought like this, I believe audit is not providing adequate assurance.

An internal auditor using their skills to identify the risks in the process and being comfortable that the company is protected by adequate controls, should be the objective that starts to provide adequate assurance.

Team Collaboration - the Key Skill for a Successful Internal Audit

Fri, 16 May 2025 08:40:12 GMT

Have you ever wondered why a particular internal audit report had such amazing findings and recommendations that it looked surreal? What’s the key to this success?

Team collaboration is the most underrated skill within internal audit. Coincidently, those that master this, are the most successful internal auditors I have seen.

Why is it a key skill?

When an audit entity has many team members and is assessing a bigger risk theme, then there is a challenge in bringing all the pieces together to see the bigger picture. The key to the success of such an audit entity is to share knowledge and experiences within the team, through coaching and informally discussing as a team - potential issues they’ve uncovered and what impact it might have on other team members’ work areas.

Knowledge and experience dissemination and on-the-job coaching are the best forms of learning for an auditor. Theory is mixed with practise. If done in the right way, all the pieces of the puzzle are brought together to see the bigger picture which allows to see common themes, root causes, culture and potential strategic opportunities for the company.

Mastering this skill allows for greater personal development in the team, boost morale and motivation and a sustainable talent model that is able to tackle key concerns that senior stakeholders have and emerging risks within the company and the environment it operates within.

One of the key factors one decides to have a career in internal audit is the enormous amount of learning – such as what are the key success factors why the company is so profitable in its market. Team collaboration skills provide ample opportunities to obtain this knowledge.

Why isn’t this commonplace then?

An audit team can be devised with individuals that may have technical knowledge on certain aspects and internal audit experience in a respectable firm. Having these are a good thing. But in my experience, there are more important skills that an auditor should have in order to tackle the most challenging audit subjects and for the long-term sustainability of the audit team.

An individual that has experience and knowledge should look to act as a role model within the team for the other team members. The role model should provoke knowledge sharing on the audit subject by leading from the front. What prior experiences they have including insights, they should apply to the company and brainstorm with the rest of the team where risks are more prevalent, what best practises are in certain processes and controls and how the company should best balance innovation, risk management and operational efficiency.

A role model should have the determination to lead by example even in tough environments and make sure the positive skills outshine and remind the team members the unique benefits and skills internal audit has to offer. This is best achieved when the team gets to see someone display the skills and output.

Effective team collaboration boosts other skills such as technical knowledge, communication, risk identification, ability to coach others, leadership, to name a few.

From my internal audit experience, I have seen the best audits in terms of findings and recommendations, overall learning experience and best team morale when team collaboration is at its heights. I have heard the same from the industry.

Having a bright individual with technical knowledge and experience can be a short term solution for tackling challenging audits, but if the individual does not share this knowledge and experience with the rest of the team in a conducive way, they will remain as a silo and will hinder the long term team sustainability.

Concerns with Bank's Cash Sweep Products

Wed, 14 May 2025 06:13:47 GMT

Recent investigations into some banks’ cash sweep programs highlight concerns that banks or brokers steer clients towards accounts that pay little or no interest. Further, the question of a duty to inform its clients that higher returns could be made by transferring to another account arises. This article looks at what a cash sweep is and what risks internal audit should consider upon a review.

What is a Cash Sweep?

Cash sweeping is the movement of funds from one account (bank or brokerage) to another. This is usually automated where an amount is transferred that exceeds a certain threshold or performed at a certain time. Typically, the amount transferred is to a higher interest-bearing account.

Types of Sweeps and its Benefits

Traditionally used by businesses with the purpose of earning higher interest than compared to amounts remaining in a low interest current account. A minimum amount is set by a business for its account, for which any amounts more than this minimum, are transferred to a higher interest-bearing account.

A sweep could also be used by a business to transfer funds to an account that falls below a minimum level.

The sweep can be set to occur at a certain time, for example, end of the day, monthly.

Sweeps can also be used for personal use. This is typically used for brokerage accounts, where idle client funds are transferred until client decides to invest.

Costs for Sweeping

Banks typically charge a fee for such a service, which is usually a percentage of the amount transferred, frequency of transfers or a set monthly fee.

What are the Concerns by the Regulators of Cash Sweeping?

Morgan Stanley, Wells Fargo and other institutions have been investigated by the US SEC recently over its cash sweeping programs. SEC investigated whether the banks and brokers steered clients to sweep their accounts that paid little or no interest. The question was also raised whether the banks and brokers had a duty to inform its clients that they can transfer amounts to another account that bears higher interest.

Results of these investigations led to Wells Fargo subsidiaries paying $35 million, Bank of America Merrill Lynch paying $25 million in settlements.

Points to Consider for Internal Audit on Cash Sweep Products

In the UK, there is an obligation by the banks to inform its customers about accounts with higher earning interest rates than a customer currently has, usually notifying the comparative rate.

Internal audit should review the product plan of a bank offering cash sweep products. Typically, these products are suitable for medium to large businesses that have high cash holdings. These won’t necessarily be suitable for small businesses. Therefore, product plans should restrict selling these products to small businesses upon review of their circumstances. Sales should document how the customer meets the eligibility criteria and is this a product that the customer “needs.”

Internal audit should also review the communication and terms and conditions that was offered to the customer upon taking the cash sweep product. Audit should review whether a customer can make an informed decision of what the net benefit, i.e. interest earned minus fees, could be, so that it can decide as to whether they are getting a competitive rate.

Further, internal audit should review the communications with bank’s customers to ensure banks clearly note for customer’s understanding that interest rates and fees are periodically changed so it should review periodically whether it is still getting a competitive net benefit from the product.

Cash sweep programs are designed for customers to obtain a higher rate for excess cash they may have. Business customers especially should monitor periodically whether they are getting a net benefit and whether they have a competitive rate. Internal audit should assess the risk that banks divert customers to lower, or no interest rate accounts for cash sweep transfers and the duty to inform clients of getting higher rates in another account.

Impact of Discretionary Credit Arrangements in UK

Tue, 13 May 2025 05:42:11 GMT

What impact is there on your firm’s credit arrangements as a result of the recent court judgement? Has internal audit provided much needed assurance to the Board that the firms’ framework, policies and procedures meet the legal and regulatory requirements and there has been no malpractice in operating the right requirements? We have assessed below some of the points that could guide you to providing this assurance.

What is a discretionary credit arrangement (DCA)?

Where an arrangement exists between a lender and a credit broker, where the latter is rewarded for adjusting the price a customer pays for motor finance, which includes any element in the total charge for credit and is remunerated on that basis. The U.K Financial Conduct Authority (FCA) published an instrument in January 2021, that banned such arrangements within the motor finance industry. The DCA does not apply to consumer hire but does apply to hire purchase.

Why is this not allowed?

A finding from FCA’s motor finance review , identified certain commission models caused harm to consumers. Where brokers were allowed discretion to set rates, which were linked to its commission, this created conflicts of interest for brokers to earn more commission by increasing the rate customers pay. In line with FCA’s objectives, consumers should be afforded protection by providing a fair deal.

Disclosure of commission

The review also led FCA to publish additional guidance which allows consumers to receive appropriate and timely information on interest charges and commissions, to better assess its finance options. These led to amendments to CONC rules (Consumer Credit Sourcebook) and is applicable to all consumer credit markets, not just motor finance.

Disclosure of the nature of the commission is required when making a financial promotion as well as on a recommendation. Disclosure should be prompt, before entering a credit agreement, covering:

How the commission arrangement could affect the price payable by the customer
The existence and nature of any commission payable to the broker

Judgement by the Court of Appeal

On 25th October 2024, the Court of Appeal handed down judgment in the cases of:

Johnson v FirstRand Bank Limited;
Wrench v FirstRand Bank Limited; and
Hopcroft v Close Brothers.

All three cases shared a similar scenario, the customer (claimant) purchased a vehicle at a dealership by obtaining finance. The credit agreement entered into, resulted in the dealership receiving a commission from the lender, where the dealer had a level of discretion to set the interest rate. The higher the rate, the more commission the dealer earned.

Other points of particular concern were:

In the case of Hopcroft, there was no mention of commission in the paperwork
In Wrench, the terms and conditions stated commission may be paid in a subheading under the heading ‘General.’
In Johnson, the terms and conditions disclosed the possibility of a commission.

The court did not use FCA’s rules in deciding the cases, as far as the judge’s opinion shows. The FCA, through the Financial Services Ombudsmun, will provide a statement in due course on the large number of complaints it received on the matter, in which its own rules should be applied.

There are three points of interest from the judgement:

Does a general statement in the terms and conditions that a commission may or will be paid negate secrecy if the borrower has neither read nor been directed to the statement?
Is the lender liable for the repayment of the commission?
As in Johnson, was the relationship between Johnson and FirstRand Bank Limited unfair under section 140 A-C of the Consumer Credit Act 1974 (CCA)?

For the first point, the judge deemed such a clause is insufficient for effective disclosure, as it does not actively inform the borrower an awareness of the commission arrangement. Effective disclosure, the court explained, requires banks to direct customers to commission details so they are aware and understand its potential impact on recommendations.

If the lender fails to ensure adequate disclose and the arrangement disadvantages the customer, the lender may be liable to repay the commission.

The undisclosed commission payable is viewed as “unfair relationship” under the provisions of the CCA. In the case of Johnson, the relationship was deemed unfair, as a lack of adequate commission disclosure created an imbalance.

The overall conclusion from this judgment, in addition to the changes made by the FCA, is there is a shift towards greater transparency in consumer credit arrangements in regards to sufficient disclosure, shared liability for brokers and lenders and informed consent.

To assist the Board in effective risk management, internal audit can provide value by its nature of being independent, use of its professional scepticism and experience of reviewing regulations, by reviewing the judgement, in addition to the FCA rules, to assess potential impact of:

Other credit services offered by its bank that could be captured for inadequate commission disclosure and unfair relationships created by its practices. Where these exist, establish root causes and agree with the business on remediation and better controls
Adequate governance and framework created by the business’s first and second lines of defence in assessing and resolving complaints received from customers on such matters.

Treatment of Vulnerable Customers at Banks - Audit Scope Insights

Tue, 22 Apr 2025 05:37:38 GMT

Ensure your firm provides unforgettable caring moments to those customers who are at most risk of harm by providing your Board assurance that they have the right culture, framework, systems and skills. Below are points that can assist in your design of the risk control matrix for a review of vulnerable customers.

Who are vulnerable customers?

Customers, who due to personal circumstances, become vulnerable to harm through use of a financial product or service, should be afforded protection against unfair outcomes. Firms should provide such outcomes with an appropriate level of care and embed fair treatment for its consumers within its processes. Characteristics of vulnerability can be wide ranging, and firms are expected to identify these across the product lifecycle.

Why the focus?

A key principle of the U.K Financial Conduct Authority (FCA) is for firms to pay due regards to the interest of its customers and treat them fairly. The business model and culture of a firm are key drivers of harm. This could be the communication of the firms’ strategic objectives as understood by its employees, competence of the leadership, incentives structure – especially meeting KPIs and customer communication and service.

Such is the focus of fair outcomes for vulnerable customers, the FCA has integrated it in its supervision.

Banks can suffer irreparable impact to its reputation and hefty fines where there are breaches to providing fair outcomes to vulnerable customers. Some recent examples in the U.K are highlighted below:

TSB Bank fined £10.9 million in 2024 for providing unaffordable payment arrangements with customers in difficulty or charging them inappropriate fees leading vulnerable customers to more stress and difficulties. Despite becoming aware of the practices it took TSB more than four years to take any action.
HSBC UK fined £6.2 million in 2024 for failing to consider consumers circumstances when they fell into arrears. Part of the root cause was the bank did not always do the right affordability assessment upon enrolling in the product. In addition, the bank’s policies, procedures and training of staff were also inadequate. Disproportionate action was taken by the bank for customers in arrears which risked consumers to further financial difficulty.

Role of internal audit

The first and second lines of defence can be too involved in the product lifecycle and dealing with pressures in making the products and services a success in the market. Internal audit has the advantage of using its independence from the everyday operations of the business, to review the risks entailed within the business and its impact on vulnerable customers. A review by internal audit may include five key pillars to obtain assurance over the firms processes and controls for treatment of vulnerable customers.

1. Identification of characteristics - understand nature and scale of characteristics of vulnerability that exists in target markets, what harm may arise and how it might affect consumer behaviour and experience.

Areas to assess may include:

What studies were used to understand characteristics of vulnerabilities that exists or will appear in target markets – how recent are these studies, how relevant is it to its market (is it national or local area), how objective is it, have relevant points from the studies been embedded in its process
How are characteristics identified if the firm is a digital bank (e.g. use of chatbot customer service).

2. Staff capabilities – frontline staff have necessary skills and capabilities to recognise and respond to range of characteristics.

Areas to assess may include:

If third parties used within the chain - e.g. brokers - assess its training, capabilities, complaints
Review training material and procedures and interact with frontline staff to understand how vulnerabilities are recognised and responded to, how disclosure is encouraged, methods of recording and evidence of assistance provided about consumer needs and how to seek specialist help

3. Systems - to support disclosing needs, range of support available and delivery of good customer service.

Areas to assess may include:

Is exploitation of vulnerable customers considered during the product lifecycle, such as product design.
Are products flexible to adjust to consumer needs
Where third parties used, is there follow-up to review whether needs have been met and quality of service

4. Communication – consider the needs and choice for channels to communicate.

Areas to assess may include:

Are the channels of communication on offer easily reachable for consumers, do they take account of consumer needs
Channels available for consumers to use third-party representations e.g. nominees, for communications.

5. Evaluation – regular management information (MI) to review outcomes delivered to vulnerable customers and implement policies where needs not met.

Areas to assess may include:

Systems capturing data where needs not met, e.g. consumer feedback surveys, complaints, staff
MI showing outcomes what action taken
Frequency of MI review

A bank that has the right culture, policies and procedures and trains its staff well in identifying vulnerable characteristics, adequate systems to support staff in responding to circumstances and an evaluation process that identifies unfair outcomes with corrective action, can build a reputation within the market for providing quality treatment to vulnerable customers that may impact its growth positively. Investing in such a framework not only means the bank is in compliance with regulations but also providing good outcomes for such customers can provide a unique selling point to its customers.

What is Internal Audit?

Mon, 21 Apr 2025 09:02:05 GMT

What is the purpose of internal audit?

The purpose of internal audit is to be a vital asset to the organisation’s board and senior management in helping them protect the organisation’s assets and it’s sustainability.

All organisations, such as banks in our field, whilst pursuing their strategic goals face risk. Internal audit can help organisations achieve their strategic goals by providing them with assurance whether the risks they face are adequately controlled and governed or not.

The role of internal audit can be summarised as follow with its key attributes:

They are independent from the organisation’s operations, often reporting to the Chair of the Audit Committee.
Provide risk-based and objective assurance. This includes insights, advice and foresight.
Utilises key skills such as challenging and influencing the senior management to improve its efficiencies and effectiveness, in areas such as controls adequately designed to meet the risk objectives and are not duplicated elsewhere and getting rid of controls that serve no risk purpose.
Assess whether controls are adequately designed to manage risks to the organisation whilst in pursuit of its strategic objectives.

What are the methods used to perform internal audit?

The classical thought of internal audit methodology is having papers attached to a clipboard and an auditor asking questions that have been pre-defined, perhaps questions used in the last audit, and ticking them whether the answer fits the box or not. If the answer did not fix the box, the operations were asked to amend their action so that it ‘fits the box.’

The modern methodology gives priority to assessing the structure and risk profile of the organisation for assessing the audit coverage. It considers areas such as the following:

Business strategy and whether key risks have been identified, including emerging risks
How effectively these risks are being managed
Focus on areas with higher risks
Ongoing assessment of risks, such as business process changes, new products and services, M&A, macroeconomic events
Review organisational culture and whether it’s embedded within the business strategy

The modern internal audit methodology helps more in achieving its purpose and helping the organisation by prioritising matters of greater concern and importance through evaluating its risks and its management.

What skills should the internal auditor possess?

There are typically three routes to an internal auditor: graduate or entry level internal auditor, moved from an external audit practise - typically post accountancy qualification, move from the first or second line within an organisation. The latter two may have to demonstrate some level of skills to the hiring manager to showcase the typical thought-process and skills an internal auditor should process.

More accomplished auditors have the following skill sets that allows for greater audit quality:

Inquisitive, scepticism – wants to know how things work, fits in the bigger picture, doesn’t always take things/ explanations at face value
Passion – genuinely wants to pursue the purpose of internal audit and learns and enjoys it whilst doing it
Team collaboration – learns from others in the team and shares experience and knowledge with the rest of the team so that overall audit quality and personal experience improves
Communication – gives stakeholders better perspective and understanding of risk and control, communicates ideas and issues through a systematic process enabling better understanding of how improving the risk management effectiveness and efficiency helps attain organisations strategic objectives.

If an auditor doesn’t have prior experience in a business segment, for example experience in FX products, but has the above skills, they would be more useful as they would be able to learn quickly through their passion and give more impact to the audit quality. Prior experience is not a good indicator of good audit quality as it would be useless if they were unable to share this knowledge to benefit the rest of the team or communicate issues more effectively.

What are the different types of internal audit functions?

Internal audit can be performed with an in-house team, outsourced to a third party, or in-house team is supplemented by a co-source provider.

Newly set up or smaller banks and building societies often go for an outsourced function. The hope is that the OSP can provide insights from other organisations within their portfolio that can share best practices and insights that can help them better manage risk. This can prove expensive in the long run and senior management should look to build an in-house internal audit team that has a sustainable purpose aligned with the corporate’s strategy.

An in-house internal audit team provides the best all-round value in achieving the purpose. With a strong leadership in the team, knowledge and experience can be shared with the team members stretching their abilities and obtaining vital skills that rarely any other team offers. Audit members rotating into the operations of the organisation helps build a better culture, risk management and for the individual stronger leadership capability.

A co-source solution can be very useful to build the team’s capability if used well. Knowledge and experience sharing through coaching is vital here, but its debatable whether this is achieved.

The future of internal auditing

The future of internal audit needs to adapt modern principles in order to achieve the purpose that has been described above, which supports the sustainability of the organisation it serves. The Chartered Institute of Internal Auditors (IIA) recently refreshed its Code of Practice and has included these modern theses. It highlights the importance of the scope of audit, which is vital. This blog was created to help auditors and audit teams devise the audit scope, to ensure that matters of importance and emerging risks that are linked to the organisations business strategy is assessed. Undoubtedly, if internal audit functions were to adopt these principles it would be in a very good position to achieve the purpose in providing that much needed assurance that the business can go about its strategies knowing that it has sound risk management.