Where Regulation Rules

Start With the Standards

To maintain the trust and confidence that various regulatory agencies place in the profession, internal audit must continue to conform with The IIA’s International Professional Practices Framework and its International Standards for the Professional Practice of Internal Auditing. The IPPF is currently undergoing an extensive overhaul, with new Standards expected to be completed by late 2023.

For internal auditors looking to benchmark their function against the IPPF’s guidance and Standards, a self-assessment can yield valuable insight into areas where improvement is needed. Given that independence and objectivity are hallmarks of the profession, the Standards require internal audit functions to complete an external quality assessment. According to IIA Standard 1312: External Assessments, “An external assessment must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.”

Of course, there also is internal audit guidance available specific to the regulated industry. The financial services industry is one of the most strictly regulated in the U.S. The U.S. Federal Reserve’s Supplemental Policy Statement on the Internal Audit Function and its Outsourcing (SR 13-1) is the leading industry standard for internal audit functions. As such, benchmarking internal audit against SR 13-1 can be an effective way to measure the department’s maturity across the entire internal audit life cycle, including talent, culture, and management’s perception of the function.

Stakeholder Collaboration and Communication

In highly regulated environments, internal auditors frequently interact with external auditors and regulatory agencies. Some regulatory agencies use their own examiners and auditors to conduct oversight activities, while other regulators or standards-setting bodies leverage independent, third-party audit firms to conduct standards-compliance audits on their behalf. Either way, there are several scenarios in which internal and external audit functions may interact.

It is common for internal audit to be asked to supply audit evidence to regulatory agencies and the external auditors. According to Internal Audit’s Relationship With External Audit, a position paper by the Chartered Institute of Internal Auditors, although internal and external audit must maintain independence from each other, “As a general principle, external auditors should be able to use evidence and reports obtained from the internal audit function to assist them in their audit work, inform their understanding of the organization and its control environment, and help identify and assess the risks of material misstatement.”

This practice may help alleviate the audit burden on the organization, as well as control audit costs by leveraging internal personnel to perform audit work. To complement external audit effectively, however, internal audit must understand what external auditors need to review and how to gather and provide data to them in a way that is useful. This requires clear and open communication between the two functions.

It is also important for internal and external auditors to openly communicate relevant developments in the regulatory environment, as well as notable changes within the company. In addition, internal auditors should understand expectations around transparency and what circumstances might warrant voluntary disclosure so they can help the organization communicate proactively if necessary.

Internal audit also can aid the organization in managing the external audit process. This includes helping manage the expectations of all parties involved as they relate to:

• The cost and timing of the entire external audit process.
• Facilitating efficient communication between the business and the external auditors.
• Helping management evaluate the external auditor’s procedures and results.
• This collaboration results in internal audit delivering more robustly on its mandate to provide independent and objective assurance and advice to all its stakeholders, and it allows the third parties to satisfy legislative and regulatory requirements that serve the interest of their stakeholders.

Risk Assessment and Prioritization

The way risks are assessed and prioritized in strictly regulated industries may differ from what internal auditors encounter elsewhere. The risk assessment process must be holistic, and both the process and the results documented in detail. In addition, risk assessments should be dynamic. Formal risk assessments should be conducted frequently, instead of annually, to ensure that internal audit is staying abreast of the key risks facing the industry in which it operates. Because of the potential for financial, legal, and reputational damage, regulatory compliance typically ranks near the top of any highly regulated organization’s risk ranking. The risk of regulatory noncompliance can be truly an existential one.

Internal auditors in these environments should always look at any business activity through the lens of potential compliance risk. Beyond financial statement reviews and inspections of existing operations, auditors also must consider compliance risk in the strategic sense when it comes to new business initiatives planned by the organization. Risk of emerging regulation carries a higher significance, too. At a minimum, internal audit needs to keep up with changing regulations, but it also must be able to assess changes on the horizon and express those risks to management.

As a best practice, internal auditors should have a seat at all executive- and management-level meetings. Because of their knowledge of the business and risk and control expertise, auditors can provide an effective challenge at such meetings to ensure that key risks are not ignored. This audit input can enable a more robust and effective enterprise risk management process.

Working in a Regulated Industry

Working in a highly regulated environment can be rewarding for internal auditors. It can provide tremendous opportunities for auditors to demonstrate their value to the organization, provided they are willing to tackle some of the unique challenges that come with the territory.