Basel Committee Releases Draft Guidance on Internal Audit Function in Banks for Comment

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


The Basel Committee on Banking Supervision has released a draft of its supervisory guidance on the internal audit function in banks. The link to the 27-page document is at the foot of this summary. Comments are due in March.

The 15 principles in the draft relating to the role of internal audit seem straight-forward (there are 5 more relating to regulators and internal audit):

Principle 1: An effective internal audit function independently and objectively evaluates the quality and effectiveness of a bank’s internal control, risk management and governance processes, which assists senior management and the Board of Directors in protecting their organisation and its reputation.

Principle 2: The bank’s internal audit function must be independent of the audited activities. This requires that the internal audit function has an appropriate standing within the bank, enabling internal auditors to carry out their assignments with objectivity.

Principle 3: Professional competence, including the knowledge and experience of each internal auditor and of internal auditors collectively, is essential to the effectiveness of the bank’s internal audit function.

Principle 4: Internal auditors should act with integrity.

Principle 5: Each bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank.

Principle 6: Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.

Principle 7: The internal audit function should ensure adequate coverage of regulatory matters within the audit plan.

Principle 8: Each bank should have a permanent internal audit function.

Principle 9: The bank’s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework and internal audit function.

Principle 10: The audit committee, or its equivalent, should oversee the bank’s internal audit function.

Principle 11: The head of the internal audit department should be responsible for ensuring that the department complies with sound internal auditing standards and with a relevant code of ethics.

Principle 12: The internal audit function should report to the audit committee or the board of directors and should inform senior management about its findings.

Principle 13: Internal audit should both complement and assess operational management, risk management, compliance and other control functions.

Principle 14: The internal audit function in a group structure or holding company structure should be established centrally by the parent bank.

Principle 15: Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for ensuring that the system of internal control and the internal audit function are adequate and operating effectively.

I could quibble with Principle 9, which says that senior management establishes and maintains the internal audit function. However, Principles 10, 12, and 15 should compensate for any 'weakness' in #9.

Some of the detailed content reveals some outdated (IMHO) thinking. For example, instead of asking for a periodic audit plan that is focused on addressing the more significant risks to the bank, the document (paragraph 29) asks that EVERY area be subject to an audit based on a cyclical audit approach. I guess the answer is to say that low risk areas are audited every century, but I'm not sure how well the examiners would take that!

I also have a concern that paragraph 31 describes risk management as addressing "market, credit, liquidity, interest rate, operational, and legal risks." Where are strategic risks? Where are the risks that could cause bank failure, learning from the lessons of recent years.

If you work for a bank and have the opportunity, I urge you to read the draft and provide comments and suggestions for improvement.



Posted on Jan 4, 2012 by Norman Marks

Share This Article:    

  1. Hi Norman,


    Thanks for connecting with me the other day. We appear to have written on a couple of same topics. I agree with your first point on establishment of internal audit function, and the compensating principles. So not much of an issue there.

     In respect to your second point, I agree they have missed out on strategic risks. However in para 80, given below they have covered strategy and objectives, and clearly said that internal audit function is responsible for challenging management on their decisions. A very good point from my perspective. 


     The board of directors and senior management are responsible for establishing the bank’s strategy and business models. ....................................Both the internal audit function and banking supervisors have an interest in the following:

    (i) Processes for objective setting and strategic decision making; and,
    In respect to para 29, I think there is some confusion in interpretation. As prior to the line you have given it mentions risk assessment. From a banking perspective, they are talking about entitites and activities, not line items. Thepara states : 
    The plan should be based on a risk assessment (including input from senior management and the board) and should be updated at least annually. The head of internal audit should ensure that all entities and all activities of the bank are audited at least once within an appropriate period of time (audit cycle). .
    Though I agree with you that it can be better worded. 
    Would welcome your comments on my post.
  1. Thanks so much for this post. There is very good and helpful information in this post. Keep up the good work. Regards: Outsourcing Governance Audits

Leave a Reply