Regulators are responding to these challenges and at the same time, creating their own web of obligations. When responding to challenges, regulators should be aligned with the business in the sense that they are forming responses to emerging risks and expectations. However, in doing so they create obligations that must be addressed. Often accompanied by reporting that increases the workload for busy and resource constrained second and third-line functions.
Regulators exist to protect individuals, but also to protect the system
For example, in banking there is a fundamental obligation for the regulator to create an environment where failure of one of the systematically important firms carries a negligible risk to the overall banking system. Failure of one firm has the potential to drive a loss of public trust with widespread consequences for which the regulator would not be forgiven.
Insurance companies must similarly be protected. Consumers need to feel that if they pay premiums they can go about their day-to-day business without fear of the financial consequences of unknown or unanticipated events. Businesses need to be able to take risk knowing there are parameters around the potential losses. So, the system must be protected.
This can be a different perspective from the way in which a company internally assesses risks. It can also detract from the needs of investors on one hand, and consumers on the other. Increasing, and sometimes time-consuming, obligations are passed on to companies.
A cause for concern?
Many CAEs, as well as Audit Committee Chairs, are concerned that a focus by internal audit on responding to regulators takes away the flexibility and capacity of internal audit functions to respond to the prioritised risks identified by the Board and Executive team. This can be because:
- Responding is time consuming and ties up valuable resources;
- The requirements can create urgency with short deadlines that are not aligned with the organisation’s audit plan; and
- The focus may be very narrow and feel like it is more second-line and compliance orientated.
It can create frustration and worry that insufficient attention is paid to the risks the business considers to be more significant. While the directors may understand the value of an independent assessment through the lens of the third-line, they may feel it’s disproportionate in some circumstances.
The right response from internal audit
In responding to this we believe auditors should try to look beyond the specific regulatory requests to the underlying risks that the regulation is intended to address. We may not always agree with the form that regulation takes and perhaps less so, with the nature of reporting or disclosures required. However, regulators do have clear objectives and intentions in protecting the system and the consumer. Understanding these enables us to embed the work within the broader plan.
Putting ourselves in the shoes of the regulator means examining the risks they are concerned about. When we do this, it is generally possible to align these risks with the risk profile of the organisation. This enables us to:
- Reposition the work required to deliver the regulatory confirmation or reporting in the context of the risks and in the language of the company;
- Determine how best to approach the audit, potentially extending the work beyond the needs and expectations of the regulator to address more fully the risks within the company; and
- Determine how real value and insight might be obtained in responding to the company’s risks.
It may be that this work is performed in an order that was not in the first instance the choice of the company or the internal audit function, perhaps earlier than it might otherwise have been addressed. However, in incorporating it more fully within the plan and aligning it with the risks, it avoids the need for duplication or further work later, while extending the coverage.
The benefits of alignment
Aligning our thinking with the regulator has broader benefits. All organisations seek a positive and constructive relationship with their regulators. Attempting to position their priorities in an aligned way with the organisation provides positive evidence of pulling in the same direction toward common goals. Additionally, it may well be that there is learning for the organisation in relation to the reasons the regulators are prioritising a particular issue. And the potential to benchmark with other companies who are also facing the same regulatory requests.
Conclusion
Regulatory requests and additional reporting are unlikely to disappear. Across all industries and sectors, the regulators are facing increasing pressure to protect both the system and the individual. Audit functions can help themselves and provide reassurance to directors if the underlying risks and thematic concerns are embraced and embedded in the audit plan.