“A qualitative analysis of the internal audit function in the banking sector”

In South Africa, the financial sector contributes approximately 10.5% to the country’s gross domestic product (GDP). Although the 2007-2009 global financial crisis did not directly impact the domestic market, it threatened the profitability of the financial sector and triggered changes that affected the role of the internal audit function. In particular, stake-holders’ expectations from the function have significantly increased. Against this background, the study seeks to identify the key success factors of performing internal audit reviews of capital markets business areas within the big four South African banks. For this purpose, in-depth interviews with experienced internal auditors, risk managers and traders were carried out. The study suggests several implications and recommendations for the risk management, internal audit and audit committee functions that can also be adopted by interested parties from non-financial institutions.


Introduction 
In 2007-2009, capital markets worldwide were engulfed by a crisis which had significant economic consequences (Corden, 2008;McKibbin & Stoeckel, 2009;Taylor, 2009). The consensus view seems to be that, in addition to the innovative nature of financial markets (Baxter, 2009) and mismanagements of the products (Hull, 2012), significant failures were noted in processes related to risk management, specifically credit controls (Ivashina & Scharstein, 2010;Lang & Jagtiani, 2010). The reduction of firm's revenues and profitability resulting from the crisis has led to intensifying pressure on internal audit's performance and increasing expectations from the function ( A legal responsibility for all banks in South Africa (South African Reserve Bank, 1990), the internal audit function is acknowledged as key for risk management and plays a critical role in ensuring banks profitability (Fourie, Plant, Coetzee & Staden, 2013;Sarens & Abdolmohammadi, 2011;Terinte, Onofrei & Firtescu, 2016). Further evidence has also linked good company performance to a well-managed internal audit team (Law and Yuen, 2013).
Although South African banks remained resilient during the 2007-2009 crisis, it is still not clear whether local capital markets internal auditors have the right qualities to ensure that shareholder value for banks is not compromised by internal or external market forces. Given the uncertain business environment, it is also critical that internal auditors in the banking and capital markets business area are able to keep up with market developments. Moreo- ver, there is a concern that, in the absence of specific guidance, the function of internal audit within capital markets is not clearly understood.
For that purpose, the present study attempts to analyze the views of capital markets traders, desk heads, and risk managers from the big four South African banks in order to determine the key success factors of a performing capital markets internal audit function. In addition, it provides recommendations on what key attributes internal audit should be measured against.
The article is structured as follows. In the first section, the literature review is presented. It is followed by the methodology and the presentation and discussion of the results.
1. Literature review 1.1. The practice of internal audit. The internal audit function primary role is to provide a view of how well a company's resources are being utilized (Sarens & Abdolmohammadi, 2011). This is accomplished by reviewing the soundness of the bank's corporate governance, risk management, internal controls and compliance processes (Cowan et al., 2013;Soh & Martinov-Bennie, 2011).
In the past, internal audit role was oriented towards corporate governance. However, because of the failure of corporate governance, the internal audit function has become central to enterprise risk management (ERM) (COSO, 2004). The Chartered Institute of Internal Auditors (2012) states that the scope of internal audit has since broadened to strategic and consulting roles. Internal audit's goal is to independently and objectively assess if there are adequate and effective controls for an organization to meet its key objectives. The function is expected to add value and improve an organization's operations (The Institute of Internal Auditors, 2013). The King III Code on Corporate Governance recom-mends that internal audits should focus more on risk than compliance (Institute of Directors Southern Africa, 2009). Continuous monitoring of the control environment rather than conducting annual audits (Malaescu & Sutton, 2013) has been practiced by internal audit effectively (Soh & Martinov-Bennie, 2011). Achieved through data manipulation techniques, the process requires special technical skills for reporting and demands regular engagement with management (Cowan et al., 2013). Its success depends on the collaboration of skills and resources between internal audit and other assurance providers (IIA, 2013b). It forms the basis of the three lines of defence model adopted by all the four major South African banks.
Internal audit reports to the audit committee functionally as well as to management for administrative purposes. The audit committee's mandate includes providing oversight to assurance providers such as internal audit, external audit, compliance and forensics (Institute of Directors Southern Africa, 2009).

Regulation in South African capital markets.
South African capital markets include equity, currency, bond, commodity and derivatives markets (Financial Services Board, 2013). Regulations such as Basel III, the framework of the Financial Markets Act, which applies to OTC derivatives and lays out the legislative basis for the adoption of an enhanced Twin Peaks system, have been developed to address shortcomings There seem to be differing views from several stakeholders about the value provided by internal auditors, therefore, a consensus should be reached in terms of how internal audit value is understood by different stakeholders (Sarens & Beelde, 2006).
The internal audit function needs to become proactive in identifying risks and important issues in place of completion of an audit plan (Millichip, 2010). The function spends more time focusing on financial, compliance and operational related risks, as opposed to strategic alignment, although strategic and business risks are the main risks that affect shareholder value. For instance, financial ratios such as Return on Equity (RoE) are commonly used by financial services to assess the value generated by line of business managers for its shareholders (Pelepu, Healy & Peek, 2013). But according to the European Central Bank (2010), bank performance cannot be measured by financial ratios alone, as banks with high RoE did not perform well during the global financial crisis.
Review of strategic and business related risks increases internal audit's credibility and relevance in the business by signaling strong independence (Roussy & Brivot, 2016).
The use of a risk-based internal audit model by all the banks, such as the ERM framework, places reliance on management to highlight the key risks in the business (Institute of Internal Auditors, 2011). Whilst this creates a platform for internal audit to engage with business, it results in emerging and important risks being often unidentified (Institute of Internal Auditors, 2011). The financial crisis proved that the model is not robust enough (Protiviti, 2013). With no central reporting or transparency of OTC derivatives, it is difficult to manage and monitor the risks associated with these trades (Deutsche Börse, 2008). Furthermore, there is no guidance provided on how to audit ERM, because the model is being improved on a continual basis (Protiviti, 2013).
Timing in risk management is crucial for effective key risk identification. This implies that internal audit should frequently discuss issues timeously with audit committee and management (D'Onza et al., 2016). Internal audit is expected to critically challenge management regarding the findings of reports (Cowan et al., 2013). In addition, they should have the capability to assess whether management's intentions are aligned to the organization's strategy and report any misalignments (Knechel, Salterio & Ballou, 2006 A bank's risk management practices are effective when different levels within the organization are also supportive of risk management initiatives (Fir-stRand, 2012). This is enabled by frequent engagement of management and risk managers with internal audit (Cowan et al., 2013;Endayah & Hanefah, 2013). Endaya and Hanefah (2016) evidenced that senior management support positively moderated the relationship between internal audit characteristics and internal audit effectiveness. Similarly, Roussy and Brivot (2016) show that the quality of audits is positively affected by close interaction with the top manager. The challenge lies with internal audit to reassure stakeholders that they can provide a valuable service to the business (Sikka, 2009).
Internal audit is also expected to be corporate ambassador within the banking environment (Sarens & Beelde, 2006). To this aim, internal audit needs to understand internal stakeholders expectations, communication gaps often result in misaligned expectations (Institute of Internal Auditors, 2011).
Internal audit should demonstrate support of management's strategic initiatives through objectively providing assurance and consulting to senior management on a regular basis. A study conducted for South African listed companies revealed that some internal audit members were not aware of other risk management forums that existed in the organization (The iKutu Research Team, 2010). This is a cause for concern as internal audit is an integral part of risk management. Therefore, the internal audit practice is encouraged to develop and manage a relationship with the AC, capital markets management and the risk managers, although this is over and above administrative reporting lines.
The board plays a vital role in the success of internal audit by guiding internal audit in objectively managing and monitoring the key risks, internal controls and governance processes of an organization (Institute of Internal Auditors, 2011). The extent to which internal audit performs in identifying control weaknesses and in determining which business areas to review as per the audit plan forms part of the audit committee's oversight role (Institute of Directors Southern Africa, 2009; Nedbank, 2012). It is therefore, important for the 'right tone' to be set from the top, because this makes it easier for the rest of the bank to adopt recommendations made by internal audit. In addition, it will enhance internal audit's credibility and recognition within the bank. However, it is worth noting that the tendency to complacency of internal auditors has been criticized in the light of the financial crisis (Chambers & Odar, 2015). It is also argued that managers may have veto power over internal auditors to minimize risks (Norman, Rose & Rose, 2010).
Additionally, although this is out of the norm for internal auditors, it has been suggested that internal audit should communicate directly with regulators, as opposed to relying on the compliance team for a link to regulators (Chambers et al., 2015). This is more important in financial services as regulators are relying on internal audit to identify key risks in the banks (Cowan et al., 2013).

Skills.
In South Africa, internal audit is a scarce skill, and as a result, staff turnover is high (Fourie et al., 2013). This leads to some key risks not being prioritized. For example, corporate governance is viewed as a key risk by regulators, however, a survey suggested that CAEs and the audit committee have not prioritized this as a key risk because of staff constraints (Cowan et al., 2013).
In addition, there is a concern from business that internal audit lacks business acumen and the relevant skills to provide sufficient audit coverage (Sikka, 2009). It is highly recommended that internal auditors should be strategic thinkers that can offer a much deeper insight (Arena & Azzone, 2009). This is challenging, because it is difficult to attract the right skills for capital markets internal audits, and retaining this talent pool has proven to be challenging (Protiviti, 2013).
High turnover rates incurred in internal audit departments result in the business being impacted, as the auditors are replaced with less experienced and knowledgeable people (The iKutu Research Team, 2010). A skills audit should be conducted first to assess what gaps there are before any training is scheduled.
Critical analysis and knowledge of various risk management approaches have been identified as key skills for long-term success in an internal audit department (Reynolds & Aggarwal, 2012), therefore any shortages of these skills should be addressed.
Job rotation program between internal audit, risk management and traders should be considered to address shortcomings cited above, as these rotation program aim to promote job satisfaction, reduce staff turnover and increase job performance (Bond, 2011). Holm and Zaman (2011) suggested that internal auditors should be well trained to ascertain that the work they deliver is of a reputable standard. Although this could benefit their stakeholders, it might not be enough to identify key emerging risks. Protiviti (2013) highlighted that this may be due to the fact that internal auditors often lack the required diverse skill set of understanding the business strategy, the organization's risk culture and understanding how decisions made will impact the future of an organization. A qualitative assessment of each function's expectations and perceptions was applied in order to ascertain whether the themes developed were deemed as relevant critical factors and whether there were any new factors that would enhance the quality of performing audits in the dealing rooms. The purposive sample comprised fifteen capital markets internal auditors, risk managers, capital markets traders, senior managers and executives ( Table 1). The sample specifically targeted risk managers who were previously internal auditors. All respondents had at least 10 years working experience in the field and all internal auditors selected had worked at the big four external audit firms or another big four banks. Amongst the traders, only those who had engaged with internal audit in an audit review were selected.

Population and
In addition, a judgemental sample was applied to select a sample across the banks. The banks were ranked according to the success they achieved in foreign exchange trading for the year 2013. This was to ensure that the researcher obtained more views from banks whose trading desks were performing well. Standard Bank is recognized as the bank with the largest footprint in Africa and it is reported as the largest bank by asset size, so the researcher skewed the sample and applied a judgemental weighting to obtain a fairly representative sample from Barclays Africa, RMB and Nedbank.

The research instrument.
Following two prior pilot studies, an in-depth interview technique was used to conduct face-to-face interviews with the respondents. The data collected were recorded and notes were taken during the interview for analysis. Furthermore, open-ended questions were used to allow for flexibility and obtain additional insight into the respondents' views (Bryman, 2012). Finally, observation of interactions between internal auditors, traders and risk managers was conducted (Merriam, 2009) on an ad-hoc basis, as and when the interviews were conducted. Field notes were taken for observations made.

Data analysis and interpretation.
The study used thematic analysis to try and identify key themes and assess whether they would refine, match or add to the critical success factors developed from the literature reviewed (Bryman, 2012).

Limitations, validity and reliability of the study.
The study was conducted publicly and all procedures applied were transparent, to build trustworthiness and credibility of the study (Yin, 2011). However, some of the respondents might have had unfavorable internal audit reports that highlighted control weaknesses in their areas, which might have affected their objectivity.
Data triangulation was employed to increase the study validity (Hussein, 2009;Bryman, 2012). To get an unbiased view, traders and risk managers were also interviewed to cross-check information responses provided by internal audit. Additional opinions were obtained from various experts in the field.

The necessity of value creation.
Overall, the responses indicated that value creation is mandatory for the success of an internal audit function. The study found that all the respondents expect the internal audit function to perform at a higher level if it wanted to create value.
All the respondents, including internal audit, conceded that for internal audit to add value, a firmer understanding of the business and its key drivers was needed, similarly to Clark, Gibbs and Schroeder (1980). However, the majority (87%) of the internal auditors interviewed admitted that they were unsure what greater value could be delivered to capital markets. Identification of issues proved to be a challenge, although market, credit and operational related risks are discussed during numerous risk committees. One seasoned equity derivatives trader emphasized the identification of high quality real risk.
From a risk management perspective, despite that 80% of internal auditors indicated that following business news gave them a sense of the issues in capital markets, value creation required a more thorough and proactive approach to information rather than relying on the business assurance providers.
The respondents added that value creation should be based on a continuous monitoring of the internal control environment. Internal auditors suggested that their audits were process based instead of risk based. This concurs with the views of Reynolds and Aggarwal (2012), who mentioned that internal audit does not prioritize strategic risks. Protiviti (2013) adds that heavy reliance on audit methodologies does not encourage the critical thinking that business expects from the function. Focus on audit control objectives prevents auditors from identifying the important issues. Additionally, audit methodologies should be adjusted accordingly to the regulatory changes in capital markets.
Amongst the concerns raised, the model from the Institute of Internal Auditors (2011) needs to be reviewed. The current model promotes reliance on management to highlight issues, but is proving to be ineffective, or internal auditors are not applying it effectively in capital markets. There is a sense that internal audit is not conducting enough research to identify the driving factors of the banks. Moreover, the respondents indicated that no initiative existed to understand the shareholders' expectations.
According to the study, only 23% of the internal auditors felt included in strategic activities. Internal audit needs to be involved earlier on projects. This will cultivate a culture of internal audit being aware of the current issues (Reynolds & Aggarwal, 2012). More than just aligning strategies, internal audit can play the role of strategic advisor to business. This can be their secondary role over and above the assurance function.

Stakeholder management.
A lot of emphasis from the respondents was placed on the positive impact of leadership on internal audit. Indeed, 90% of the respondents highlighted that leadership set the example with regard to the perception of the internal audit function within the organization. Some respondents added that internal audit leadership should demonstrate that they lived the values of the organization.
More concerning, the study found that 80% of the internal audit respondents misunderstood the board's role. This contradicts the Institute of Internal Auditors (2011) view, which attributes internal audit success to the board. It is important to note that, similarly to the Institute of Internal Auditors (2010) survey, none of the respondents mentioned the audit committee when addressing leadership.
Traders and desk heads from two of the banks reviewed highlighted that internal audit is a centralized function. This resulted in less interaction, as engagements between the groups were facilitated more at a group level than at a business unit level. Internal audit respondents generally (72%) indicated that they had regular meetings with business. Though as an invite was rarely extended from business, internal audit needed to initiate these meetings.
From the traders and desk heads perspective, 95% of the respondents indicated that initiating meetings with internal auditors was unnecessary, as they already liaised with desk risk managers and external auditors for their review of financial controls. Internal auditors at one particular bank indicated that they engaged with the desks through operational risk.
Lines of business management need to recognize internal audit as a business partner. There was also a view from the respondents that some pockets of management did not actually understand the internal audit function's objectives. From the responses received, in accordance with the iKutu Research Team (2010) study, risk managers and traders are not proactive in initiating engagements and building a robust relationship with internal audit. As the third line of defence, internal audit function needs to have oversight of all the risk functions, therefore, barriers are created if it does not engage directly with all stakeholders.
75% of the internal audit respondents revealed that they were not involved in any key strategic meetings with business, whilst 25% mentioned that they did get invited to strategic sessions. 100% of the respondents from all the big four banks admitted that internal audit was not involved as regards to strategic decisions, however, their input was required concerning new products, technologies, or business in new regions.
28% of the internal auditors cited the issue of staff shortages as the reason for not attending meetings with business. This may have negative connotations for internal audit, as the perception may be that they are not interested in attending these meetings.
Moreover, scope issues and duplication of efforts tend to create conflict between internal audit and business stakeholders. Money may be wasted by the bank in additional audit fees incurred.
Furthermore, trust issues seem to affect the relationship between internal audit and stakeholders. This contradicts Sarens and Beelde's (2006) view, which suggests that a stakeholder relationship based on openness yields great results.
Different stakeholders have varying requirements and a one size fits all approach cannot be adopted, especially for traders and desk heads. Internal auditors need to understand the different cultures and environments within the bank. However, on the other hand, the role of management is to co-operate with internal audit, it is, thus, their responsibility to understand internal audit's objective.
Finally, it is recommended that internal auditors expand their network and build relationships with the regulator and other external counterparties.

Skills.
Traders and risk managers alike highlighted that the complex business environment required better prepared and skilled auditors. Additionally, 78% of the respondents valued quick learners and professionals who would stand their ground when being challenged.
Tough economic conditions have resulted in banks retrenching staff and this greatly impacted some business functions (Absa, 2012;FirstRand, 2012;Nedbank, 2012;Standard Bank, 2012). This resulted in knowledge gaps, high turnover rates, loss of critical skills and banking experience knowledge amongst the internal audit functions in all the big four banks.
It is, therefore, critical for banks to implement a culture of preserving knowledge. 60% of the respondents pointed out that they had considered approaching former internal audit staff to fill in the gaps, while 40% suggested that they would be hiring. However, the respondents indicated that, despite the fact that internal audit is a core function which cannot survive with restricted capacity, there have been several unfilled vacancies without any suitable candidates.
To facilitate a skills transfer process, rotation programs could be implemented within internal audit, risk managers and traders. This will raise the risk awareness of traders and provide internal audit and risk managers with first-hand experience of how the company conducts its daily business. There is little alternative, because, as Arena and Azzone (2009) highlighted, the CIA qualification does not equip internal audit practitioners to be ready to tackle business-focused audits. This may very well support the views of the traders who indicate that when new internal auditors join the team, they are not prepared to service a function such as global markets or trading.

Conclusion
Economic and regulatory pressures have motivated for a more rigorous and effective approach to internal audit and the findings of this study suggest several recommendations for the risk management, internal audit and audit committee functions.
Firstly, risk managers should leverage off internal audit capabilities to not only ensure effective quality risk management across the banks, but also increase their expertise in other risk disciplines. The chief risk officer needs to be the driving force of a collaborating risk unit. Effective communication amongst the assurance providers will encourage an approach where different strengths are combined to increase the effectiveness of risk management within an organization and avoid gaps in risk identification.
On the other hand, the internal audit professional bodies need to take charge of the profession before another crisis occurs and the function is scrutinized again. The chief audit executive needs to be prepared to support, promote the initiatives of his team, and highlight the merits of partnering with internal audit to promote synergies. This may be achieved by solidifying relationships with business and risk management in order to get closer to issues. The internal audit function ought to incorporate a thorough learning culture of understanding the key drivers that impact shareholder value.
Annual financial statement analysis and peer comparisons should be conducted so that the internal auditors are well informed and aware of the internal and external factors that are influencing the organization's internal controls. The big four internal audit teams could be evaluating each other's functions and assessing what they can leverage off each other. These teams all operate in silos and some success factors can be shared without divulging confidential information. Thus, a better information and awareness on internal and external factors that are influencing the organization's internal controls can be retrieved.
Proactively managing and monitoring the key success factors may also yield fewer staff turnover rates from internal audit because of value creation. Internal audit management should be open-minded and encourage transfer within the organization. Staff rotation programs should also be negotiated with line of business management. This will address the issue of staff turnover and inadequately skilled practitioners.
The audit committee needs to perform its own independent assessments of the internal audit function to validate that expectations are met and to get a firsthand account of internal audit performance. A closer and collaborative relationship between the audit committee and internal audit will promote the image of the organization, as discussing organizational drivers first hand at a board level and management will empower them to be corporate ambassadors (Stewart & Subramaniam, 2010). The annual audit process recommended by King III needs to be reviewed, because business evolves and the audit committee should allow for unplanned audits. Besides, the audit committee should promote cross skilling between internal audit and line of business, and monitor internal auditor skills development. A lot more internal auditors should be technically astute to deal with these capital markets audits.
Alignment of internal audit strategy to the business strategy should be advocated at an audit committee level. This will ensure that internal audit remain relevant and focused on key issues that impact the survival of a bank. The audit committee should also obtain input from the board on topical issues. Accordingly, the content of professional training, including the Certified Internal Audit (CIA) training, needs to be re-evaluated with more emphasis on the alignment of internal audit strategy to business strategy.