Internal audit in banks and the supervisor's relationship with auditors
This version
Introduction
As part of its ongoing efforts to address bank supervisory issues and enhance supervision through guidance that encourages sound practices, the Basel Committee on Banking Supervision (The Committee) is issuing this paper on internal audit in banking organisations and the relationship of the supervisory authorities with internal and external auditors. Adequate internal controls within banking organisations must be supplemented by an effective internal audit function that independently evaluates the control systems within the organisation. External auditors, on the other hand, can provide an important feedback on the effectiveness of this process. Banking supervisors must be satisfied that effective policies and practices are followed and that management takes appropriate corrective action in response to internal control weaknesses identified by internal and external auditors. Finally, co-operation between the supervisor, the internal auditor and the external auditor optimises supervision.
The principles set out in this paper are intended to be of general application, even though they will have to be applied within a specific supervisory framework. There are significant differences across countries as regards the use of on-site and off-site supervisory techniques. Also the degree to which external auditors are used in the supervisory function varies widely. While the exact approach chosen by supervisors in individual countries will depend on these types of factors, all members of the Committee agree on the principles set out in this paper.
This paper refers to a management structure composed of a board of directors and senior management. The Committee is aware that there are significant differences in legislative and regulatory frameworks across countries as regards the functions of the board of directors and senior management. In some countries, the board has the main, if not exclusive, function of supervising the executive body (senior management, general management) so as to ensure that the latter fulfils its tasks. For this reason, in some cases, it is known as a supervisory board. This means that the board has no executive functions. In other countries, by contrast, the board has a broader competence in that it lays down the general framework for the management of the bank. Owing to these differences, the notions of the board of directors and senior management are used in this paper not to identify legal constructs but rather to label two decision-making functions within a bank. The principles set out in this paper should be applied in accordance with the national corporate governance structure of each country. It might also be useful to consult the Committee's paper "Enhancing Corporate Governance for Banking Organisations" published in September 1999.
This document serves as basic guidance for supervisors and it sets out banking supervisors' views on internal audit in banking organisations and the relationship of the supervisory authorities with internal and external auditors. The Committee supports efforts to harmonise and improve internal audit standards internationally. The Committee promotes due consideration of prudential issues in the development of domestic and international internal audit standards.
An internal audit function within a bank that is organised along the principles set forth in this paper facilitates the work of bank supervisors. Strong internal control, including an internal audit function, and an independent external audit are part of sound corporate governance which in turn can contribute to an efficient and collaborative working relationship between bank management and bank supervisors. An effective internal audit function is a valuable source of information for bank management, as well as bank supervisors, about the quality of the internal control system.
The principles set forth in this paper apply to banks, including those within a banking group, and to holding companies whose subsidiaries are predominantly banks.
This document elaborates on the policy guidance issued by the Committee in 1998 entitled "Framework for Internal Control Systems of Banking Organisations", particularly the principles about the internal audit function. This 1998 framework provides significant international supervisory guidance on the evaluation of bank internal controls based on an advanced, modern internal control framework.
December 2011: a revised (consultative) document has been published.