What is Internal Audit?
Internal audit is a functional team that assesses the quality and effectiveness of the bank’s internal compliance, control, risk management, governance and operational procedures and systems.
Most countries mandate the creation of an independent Internal Audit (IA) team which must be provided with adequate resources and access to perform their roles of assessing governance and control structures. At most large banks, the internal audit team reports directly to an audit committee made up of board members.
Internal audit teams maybe best thought of as the eyes and ears of the bank’s board of directors. The board is responsible for ensuring that the bank is operating within accepted risk tolerances – whether that be operational risk, market risk, concentration risk, reputational risk etc. Internal auditors get unfettered access to all operational and business teams in order to make this assessment on a regular basis and report their findings to the board.
Failing an internal audit repeatedly can be a career-ending disaster for heads of business units. As you can imagine, this has taken a new impetus after the last crisis. Governments and shareholders are wary of unnecessary risks being taken by management for short-term gains.
Internal auditors specialize in a few functions or business areas that they audit on a regular basis. Such specializations lead to better performance and improved results when compared with being a generalist. Here are some examples:
- One IA team might specialize in covering investment and asset management businesses and their related teams like operations, finance, technology and so on.
- While another audit team might focus on the markets side and execute portfolio wide audits of alternate investments, exchange traded funds, capital markets, trading, trade operations etc.
- Yet another team might focus on auditing the risk functions and look at the robustness and accuracy of the risk management infrastructure, monitoring the quality risk methodologies, assessments and ratings.
The internal audit process may be divided into the following broad categories:
Setting Audit Goals
- The first part of the job is to clearly understand the compliance, governance, operations and risk management policies which have to be assessed.
- The audit team them prepares a plan of execution in advance, which serves to guide them in terms of what aspects to look at and how to evaluate each metric.
- Internal auditors go through all records, paperwork, communications, memoranda etc. that are relevant to their audit.
- Coordination is required with internal stakeholders, business units, other audit teams and even third-party specialists.
- General management issues such as audit timelines, staffing, budgeting, resource allocation and other aspects also need to be handled by senior IA professionals.
Issue Identification and Validation
- Each department’s control, operational risk management, regulatory reporting, compliance and other risk thresholds are assessed for adherence to management guidelines.
- Any deviations are identified and then further assessed in order to validate breaches or failures.
Assessment and Reporting
- The last phase of the internal audit process is to assess the impact of any deviations or lapses.
- The final report is prepared for submission to the board and includes details of how each business division performed with specific mention of areas of improvement or outright lapses.
As I mentioned earlier, the internal audit report is taken quite seriously and may lead to serious management shakeups if any serious lapses are detected. Often times, cases of fraud that hit headlines are detected during internal audits like these and are self-reported by the banks to the authorities.
Qualifications and Skills
Functional expertise – Each internal audit team is assigned to some specific business or a silo of similar business units. As an auditor, you have to specialize and learn everything there is to know about how that business unit functions in order to properly audit them.
For example, consider a situation where you are auditing the credit risk department. You have to look at all the systems, infrastructure, processes and then evaluate if those systems are compliant with the broad guidelines laid down by the bank’s board of directors. Then you might have to look at a sample of individual cases and assess if proper procedures were followed when ascertaining the risk in those cases.
Any anomalies that are found must be investigated by interviewing specific individuals and understanding their thought process. If you’re going to evaluate how someone is doing their job, you surely need to have a very solid understanding of what they ought to be doing.
Communication skills – Although internal auditors spend a lot of time poring over documents, you really need to be able to communicate with all stakeholders in order to maximize your job efficiency.
- You will be communicating with other auditors in order to share the workload or make use of their functional experience.
- You also have to communicate your findings all the way to the board.
- But most importantly, you have to communicate with the team that is being audited and get the necessary information from them.
Technical expertise – Internal audit roles require the technical expertise to understand IT systems and process notes, deciphering product specifications and information memoranda, a thorough understanding of regulatory guidelines etc.
A clear understanding of specific business and market risks associated with each division or business unit is required. Most internal auditors generally have a few years of accounting or compliance experience under their belts.
Ability to exert influence – The internal audit team is a cost center which has to go toe to toe with the big revenue generating departments and tell them what they are doing wrong. The people that you would be dealing with at the front-end are seasoned veterans who generate hundreds of millions of dollars in revenue.
Yet, they are not free from bias or mistakes and it is your job as an internal auditor to probe them, look at all their dealings and try and find flaws in order to strengthen the business unit. It takes a lot of “persuasive rationalizing” to make your presence felt!
How to get into Internal Audit
To get into internal audit, you need to focus on your certifications, functional experience and get some relevant work experience under your belt. Let’s take closer look.
Work Experience and Academics
Internal audit roles are generally suitable for accounting professionals with a few years of solid experience already. Experience with financial services related audit roles is quite common. Many auditors generally have some sort of experience with banks or specialized accounting firms.
In terms of academic qualifications, a bachelor’s degree in business, accounting or finance is mostly sufficient. For more senior roles, you just need more experience or one of the many certifications listed below.
The following courses will help you get a basic understanding of the internal audit process. These courses lay the foundations of what internal audit is all about, the type of data you need to look at and how to go about doing that.
These are both excellent courses covering the fundamentals and going into some detail. They should take about 30 hours each, are very reasonably priced and would go long way to add value to your CV. If you have no prior internal audit experience, you need something like this on your CV.
Although it is not mandatory to have a CPA certification, most internal auditors do tend to be certified accountants. Different banks have different requirements and here are some that are generally preferred:
- Certified Internal Auditor (CIA) – The CIA is a globally recognized internal audit certification issued by the Institute of Internal Auditors. Although it is not a mandatory requirement, it is one of the preferred certifications.
- Certified Public Accountant (CPA) – The American Institute of CPAs develops and scores the Uniform CPA exam.
- Other certifications include the Certified Financial Services Auditor (CFSA), the Certified Information Systems Auditor (CISA), Certified Fraud Examiner (CFE) etc.
Building your resume for internal audit
You need to focus on three broad areas when building a CV for an internal audit role:
Firstly, you need to focus on your professional qualifications and certifications. If you are a CPA, CIA, CFSA etc., then that will add tremendous value to your CV. If you hold one of these certifications, you will likely join at a higher position and your compensation will likely be significantly higher. It is highly recommended to get certified if you want to get a nice career boost. Think of it as an MBA.
Secondly, you need to focus on your work experience. Internal audit is not a role where you can generally get in fresh from college. You need to spend some time in accounting or compliance roles and then move on to IA because it requires superior knowledge and understanding. Focus on your breadth of experience and functional knowledge when building your CV.
Lastly, you must display functional experience. Internal audit in banks can quite a bit more technical than in other Fortune 500 corporations. The reason for this is that bank products are often quite complex and require deep understanding of several finance concepts. It requires superior knowledge to qualify for these roles, but that is why they pay much better as well.
Completing one of the courses mentioned above would also go a long way in strengthening your CV and showcasing your interest in the field.
Salary and Bonus
According to PayScale, internal auditors have a salary ranging from USD 45,000 to USD 80,000 plus a variable compensation of around USD 8,000. Salaries in the UK range from GBP 30,000 to GBP 70,000 with an additional variable component of around 10%.
It should be noted though that the salary figures for large banks and financial institutions is towards the higher end of that spectrum. Professionals working in large cities like New York, Chicago, London etc. also get at 10% to 20% incremental cost of living adjustment to their salaries.
Leadership roles in IA like VPs or senior audit managers can expect to earn well north of USD 100,000 plus a larger variable component. Chief auditors can make anything from USD 150,00 to USD 400,000 (depending on the size of the bank) but that usually requires a decade or two of work experience.
A Normal Day in In Internal Audit
Internal audit is a regular 9 to 6 type of job for the most part. The exception is when you have a tight deadline and, on those days, you might even be expected to pull an all-nighter. However, such days are usually rare and happen maybe a few times a year.
Outside of such crunch times, you will spend the majority of your day answering and responding to emails, looking at data, spending time reviewing policies and guidelines.
There is a lot of training involved as well. Compliance and internal audit professionals have to undergo more trainings than any other bank division that I can think of. You have to be the expert at governance policies, regulations and even business processes. It’s not surprising then that auditors spend several weeks of the year undergoing training and re-certification.
Your role may require a lot of travel as well. For example, some banks rotate internal audit teams between countries to ensure that a different team conducts the audit each subsequent year!
Career Path and Progression
These are the four main career paths available to you in internal audit:
A role very much in demand
While it’s not as glamorous as many of the front-end revenue generating departments, being in the internal audit division at a bank has several advantages of its own:
- Firstly, you will have tremendous job security as there is a significant demand for internal auditors. Just search for some open IA roles in your favorite job search engine and look at the thousands of openings available. While some other bank roles are susceptible to automation, IA has just been expanding rapidly like most other control and governance functions.
- Secondly, you have the option to move into a variety of other high-demand roles like compliance, corporate governance, regulatory reporting and so on.
- Thirdly, you are significantly increasing your value by being an internal auditor for a bank. Banks are big clients and accounting firms will want to hire you so that they can pitch you as a financial services specialist when pitching to their clients.
The internal audit function has its own chain of command. Senior level positions are generally classified as internal audit director, vice president, chief audit executive, auditor-in-charge and so on. There is not as much standardization in the designations as there is other banking roles, but there is a nice progression ladder available for those who want to grow organically.
Other Finance/ Accounting functions
Internal audit is considered sort of a revolving doorway at some banks. Professionals from the finance, compliance and accounting departments come in, stay for a few years and then move on to other roles.
If you look at the broader scheme of things, internal audit is one of the functional areas of the bank responsible for internal governance and control. Someone who wants to progress in that career track has to get some hands-on experience in all divisions with internal audit being one of them.
Joining the Big Four
The big four accounting firms offer some great career opportunities for people in accounting and audit. In many cases, they offer superior career growth opportunities and compensation because at those firms, auditors are a revenue generating team.
That being said, it is not uncommon for accountants and auditors to move between specialized professional services firms like the Big Four and industry roles.
With enough experience under your belt, you can start your own small consulting practice. Initially your clients will likely be small, but that is okay because you will be retaining most of the revenue. A lot of people go this route as it gives you more flexibility in terms of how much workload you want to take on.