Login or request a free trial

APRA off-key on audit

Internal audit and audit more generally has gotten a bit of a workout in a speech on Friday by Helen Rowell, the deputy chair of APRA, and it caused this columnist to sharply draw a breath, roll his eyes, and use language not meant for polite company.

Rowell spoke about the role of internal audit teams in helping APRA-regulated entities better deal with internal process problems.

Her thoughts on the role of internal audit are fine and rather plain vanilla. There isn’t much you can do to make the usual internal audit spiel interesting. 

Ultimately the internal auditor is a check and balance within organisations to ensure that people are behaving, and processes are operating as intended.

Rowell’s address does provide some useful context in terms of poor culture for the assurance audience to which she was delivering the address.

“Examples of these signs of a poor risk culture include inadequate risk management reporting, long-outstanding risk or compliance issues and poor oversight of, or response to, incidents,” Rowell said.

“However, the real skill – and value add that auditors can provide – is to look behind the metrics of poor responses to control weaknesses to understand what the fundamental drivers of such behaviours are, and to call those out.”

Rowell told the audience that APRA was asking internal auditors to look at issues from a ‘people or behaviour’ perspective rather than from a controls perspective.

“You need to look beyond the numbers, beyond the evidence available. It’s still important for you to look at systems, processes and controls, but you need to go deeper and ask why things might be happening from a behavioural perspective,” she said.

“What are the underlying drivers of the control failures, particularly for repeat observations, to understand the behaviours and cultural drivers that may underpin them. Otherwise you could just be seeing a silhouette and not the full picture and your organisation will respond to symptoms, rather than addressing the root causes of the problem.”

This is a sound principle and one that merits reinforcing.

The fact is, however, that the auditing standards applying to the members of the professional accounting bodies that may handle audits of financial institutions regulated by APRA will already have behaviour at the heart of their focus if they have been appropriately taught at university, trained by their professional accounting body with training reinforced by an accounting firm, and they’ve read the auditing standards from start to finish.

Financial statement auditors have had the behaviour of management and staff within an entity at the heart of their work. 

The principles outlined by Rowell are nothing new for auditors that have worked on the financial statements of entities in the financial services sector.

Auditing standards for those that are members of the accounting professions as issued by the Auditing and Assurance Standards Board require auditors to deal with behavioural issues in the first instance.

The most critical thing for regulators examining the work of auditors is to check whether auditors that are already obliged to comply with these principles follow them to the letter.

I'm a returning subscriber

Password reset
Login

Request a free trial

  • Emailing you the news at 7am.
  • Covering core lending and funding issues, strategy, payments, regulation, risk management, IT, marketing and more.
  • Original news and summaries of major stories from other media – ditch your newspaper subscriptions.
  • Focused on banking and finance, saving you the time spent wading through newspapers and other services.
  • With reporting from former editors and senior writers from the AFR and The Australian.
  • Configured for your phone, laptop and PC.
Free trial Banking Day