On 21st March, the Basel Committee on Banking Supervision released a consultation on its upcoming guidance for the external audit of banks. Auditors have been tarred, along with institutions like credit rating agencies, with having a hand in the poor practices that led to the 2008 financial crisis. The BCBS’ guidance is aimed at distancing auditors from their FS clients and recruiting them, instead, to the regulators’ side.
The guidelines come in three distinguishable parts: Principles 1-6, where the onus is clearly on the auditor; Principles 7-11, where the onus falls on the firm’s audit committee; and Principles 12-16, where the focus is on tightening the relationship between the regulator and the auditor.
When read in the context of other BCBS guidelines, particularly the Principles for Effective Risk Data Aggregation (RDA), we see an extension of many of the core ideas – creating, as it were, a second line of defence in the auditors. For instance, where the RDA Principles require internal review by staff with key skills (i.e. data professionals) of the firm’s framework for risk data, the audit guidelines specify that external auditors should also use experts where appropriate in assessing specialist functions, such as IT and finance. As a result, everything will be checked and double-checked exhaustively.
However, external auditors are permitted to an extent to rely on the results of this internal review. In this way, the audit guidelines add an incentive for firms to carry out the internal review to a high standard as, so long as the external auditor has no reason to doubt the internal’s ‘knowledge, competency and objectivity’, he is permitted to count some of the internal audit’s findings as conclusive. This can be achieved by following the RDA Principles and, if achieved, could save firms greater pain down the line.
In addition to this, making clear the intentions behind the RDA Principles’ requirements that banks should be able to deliver ad hoc and ‘near real-time’ reports, the audit guidelines specify that external auditors are now required to effectively ‘sit in the driver’s seat’ and run risk reports themselves. This is in order to not only check the results of those reports, but also to make a decision as to their reliability and accuracy. As a result of this, institutions will need absolute faith in their automated systems, even when key persons are removed from the equation.
All of this means that auditors will now be poking their heads into rooms they didn’t previously go near, and asking about processes they might otherwise not have known existed. When this happens, firms can no longer afford to sweep things under the carpet, or keep the metaphorical curtains closed. If anything, the firms that will benefit most from these guidelines will be the ones who ask the difficult questions themselves, and remind the auditors when they forget to ask.