Speech by John Tiner, Chief Executive
IIA (Institute of Internal Auditors) Risk Conference
22 September 2005

Introduction

Thank you for inviting me today, may I say that I am extremely pleased to be here. I am flattered to see that my speech is considered so riveting that it has been awarded the graveyard slot – I can only hope that it exceeds expectations.

My theme today is the regulation of the financial services sector and the impact on internal audit. I would like to change one word of this title to extend the scope to: "the impact of internal audit" as the internal audit function is increasingly seen as a valuable tool in our regulatory work.

The role of the financial services regulator

I should like to start by setting the role of the FSA in context and to provide some background. The creation of the FSA has been a work in progress since 1997 when the functions of banking supervision and investment services regulation were merged into the Securities and Investments Board (SIB) which subsequently changed its name to the Financial Services Authority. Following this, the most significant event in our history was the implementation of the Financial Services and Markets Act in November 2001 which brought a number of other organisations within our remit. These organisations included the Building Societies Commission, the Personal Investment Authority and the Securities and Futures Authority. We are also the Competent Authority for Listing in the UK, a function which we inherited from the London Stock Exchange, and most recently we have taken on the regulation of mortgages and general insurance.

I became CEO two years ago and have structured the organisation so that it has three significant business units to deliver our three strategic aims and in so doing efficiently to encompass our diverse community of regulated firms. The business units group activities according to their main stakeholders. We therefore have a Retail Markets BU, a Wholesale and Institutional Markets BU and a Regulatory Services BU. It is possible for both the retail and the wholesale BU's to contain the same category of firm, banks for instance, but their primary customer base will be different: consumers in the high street versus large investment firms, with mainly professional counterparties for example. The Regulatory Services BU ensures that the FSA as a whole functions efficiently and effectively being responsible for areas such as our IT function and the collection of fees and it is also the area that has responsibility for authorisation of firms and provides guidance and assistance to small firms and consumers.

I mention our organisational structure as background and to put the FSA into context. But to get on to the main purpose of the FSA, our three aims are:

  • Promoting efficient, orderly and fair markets. We are committed to making markets work as the means of best meeting the demands for financial services – best both for customers and for the providers of financial services. We regulate – when we have the choice – only where there is both market failure and the probability that regulation will bring more benefits than costs.
  • Helping the retail consumer obtain a fair deal. We have particular concerns about the information gap between suppliers and customers of financial services – though the retail agenda is very wide indeed. We are working to improve how both suppliers and consumers act. On the supply side to encourage clearer information to be provided and good practice to be followed, particularly in the fair treatment of customers, and on the demand side to encourage a greater understanding of the important financial decisions which individuals are increasingly called upon to take. But there remains an enormous amount for us to do before we can say that an efficient retail market in financial services has been established.
  • Making the FSA an easier organisation to do business with, through improving our business capability and efficiency. This has many facets. Critical to this is the recruitment, training, retention and reward of our staff and the opportunities for improving efficiency by better use of technology.

These aims arise from our statutory objectives which govern the way we carry out our general functions of rule-making, authorisation, supervision and enforcement. The FSA does not operate in a vacuum and we are politically, publicly and legally accountable. To that end we publish an Annual Report which assesses our achievements against our objectives; we are subject to judicial review, appearances before the Treasury Select Committee and we regularly report to HM Treasury.

Our four statutory objectives are as follows:

  1. Market confidence – we aim to maintain confidence in the financial system;
  2. Public awareness- as mentioned earlier we have a responsibility to promote public understanding of the financial system. We do this through schools, the media and our own publications on various aspects of financial services such as endowment mortgages.
  3. Consumer protection – we aim to secure the appropriate degree of protection for consumers. Please note that I used the word appropriate. Being a risk based regulator we cannot protect consumers from every type of risk although through a programme of consumer education and investigation of malpractice we aim to reduce risk to consumers. While we have a mandate to protect consumers it is also important to remember that the principle of Caveat Emptor and the application of this in a world where information is asymmetric is a key consideration – for firms in explaining their products to customers; for customers in understanding the implications of what they are buying and for the FSA in getting the balance of its regulation right.
  4. The reduction of financial crime – we are charged with reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime. Here there is a mix of new and old in the types of crime we are seeing. New opportunities arise for criminals such as in the growth of identity theft and the increase of hacker incidents. At the same time, we are seeing an increase in cheque fraud as firms tighten up controls around electronic payments.

Our objectives are underpinned by a number of principles of good regulation which are enshrined in our founding legislation, the Financial Services and Markets Act. These principles of good regulation require us to consider the role of management, to be proportionate, to encourage innovation, not to get in the way of competition and to be mindful of the internal competitiveness of the UK Market. This is the core of our approach to regulation.

Regulatory approach: How to be an effective regulator

In order that we can provide a proportionate, cost effective means of regulation we have adopted a risk based approach and I intend to expand on this for a while as it is the pivotal point of our regulatory regime.

First let me say that we do not seek to prevent all consumer detriment or financial failures, but accept and indeed plan for a regime in which some losses are experienced and some firms will fail. We do not set out to visit all the firms for which we are responsible. For example, we do not expect to visit or inspect 90 per cent of the firms we regulate because of their risk profile taken in the context of the market as a whole. For these firms we rely on sampling techniques based on the data they provide to us, and on what we call thematic work. Where we can, we choose to operate proportionally – that is to take steps to mitigate risk only if the risk is sufficient to justify the action. By these means we are free to direct our attention and resources to where it is most required. We are of course an integrated regulator, bringing the same principles to banking, insurance, mortgage, investment and securities businesses.

Our aim is to apply available resources to achieve the maximum possible net reduction of risks to our statutory objectives. We therefore strive to embed the principles of good regulation, provide more transparency in our approach and ensure that we use our "tools" appropriately.

The relationship and roles of internal audit and risk management

In firms, risks can arise from a number of sources from the obvious such as the type of business, the type or the effectiveness of the strategy adopted or the type of customer, to the less obvious such as the firms' inability to identify, monitor, manage or respond to business and operational risks. These "control" risks can mitigate or magnify the firm's business risk.

To quote the FSA Handbook "A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of a regulatory concern". To put this into context, we do not look for controls to cover all business risk as this would stifle competition.

Our concern is that there are adequate, proportionate controls.

Our approach to risk management is encompassed in the ARROW Framework (Advanced Risk Responsive Operating FrameWork). This is the method we use to priortising risks using scores according to Impact and Probability. Impact of the problem if it occurs multiplied by the Probability of the problem occuring.

This is where internal audit is vitally important as it can play a leading role in providing assurance that management are properly identifying and mitigiating risks arising both from the business operations and internal systems; and from the organisational structure such as group complexity, reporting lines and segregation of duties.

Strong internal control leads to a lower risk scoring and hence a lower level of regulatory intervention.

Role of internal audit

To take another quote from our Handbook:

"Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activites of the firm and have appropriate access to a firm's records".

From the perspective of the FSA as regulator, the main issues concerning the internal audit function of an authorised firm are also the concerns of the Institute and the financial services industry as a whole.

The first question to ask is "Is the internal audit function robust enough to challenge senior management?" Clearly if the internal control function is too weak to effectively challenge those responsible for determining the organisation's operations, it has little value in its role of risk control.

Secondly, we believe that the internal audit function should adopt a risk based approach in order to ensure that the business risks within the organisation are being adequately managed through a system of internal controls. Without adopting a risk based approach how can we be sure that the internal audit is addressing the key areas in a proportionate, effective and appropriate manner?

Is the internal audit function effective? Internal audit is subject to the same cost pressures as any other part of an organisation and yet, by maintaining a high quality standard and service, it increases confidence by the the rigour of its controls. It can thereby demonstrate added value to the FSA which may well prevent the commissioning of costly reports by outside bodies. I will come back to this shortly.

A significant question for the regulator is, "what is the internal audit's function in relation to auditing fraud?" Does it have appropriate mechanisms for identifying, investigating and reporting fraud?

The FSA Handbook states that a "firm should ensure that it has appropriate mechanisms in place to assess and monitor the appropriateness and effectiveness of its systems and controls." It then goes on to give examples of the systems and controls that we would expect to be in place. If these are in place, and our supervisory teams consider them of high quality, the internal audit function in effect assists us by providing:

  • An understanding of the adequacy and effectiveness of risk management and control within the organisation;
  • Evidence of action taken to improve the control framework and mitigate risk;
  • Assurance on risk management and the internal control framework;
  • Evidence of key risk exposures and management's response;and
  • An overview of senior management's regard for internal audit and audit reports.

These are significant areas for supervisory teams and can provide a great deal of comfort to the supervisor and in our risk based approach.

And where next .....

We are currently developing a new ARROW framework to build on our experience and refine our risk-based approach.

The new framework stresses the importance of internal control functions and in particular the quality of management and governance; and the quality of internal audit, compliance and risk management.

Where the internal audit function is strong we may, as mentioned earlier, seek to rely on the oversight of internal audit rather that requiring a prolonged supervisory visit. We may also rely on internal audit for special work rather than calling on a skilled persons report. I should explain here that skilled persons reports were a tool used by Bank of England supervisors where a problem or concern was detected. Skilled persons, usually auditors or reporting accountants, were called in to investigate and produce a report for both the bank and the bank's supervisor. Sometimes these reports were on the financial reporting function of the banks but other reports were on internal controls. These skilled persons reports have now been extended to cover the whole of our regulated community. Clearly, if a firm is seen to have a strong internal control system, we can rely on that, rather than calling in an outside expert.

Further comfort can be drawn from steps internal audit take to ensure effective implementation of regulatory matters such as actions undertaken as a result of supervisory visits. This is borne out by changes to plans which take account of FSA findings and provide follow up on actions to ensure the changes are effectively implemented.

The work of the internal audit function and the FSA supervisory function are closely aligned, particularly in the identification, management and mitigation of risk; ensuring that an organisation's operations are conducted effectively, efficiently and economically and that laws and regulations are complied with.

The subtitle of this address is "How this highly regulated environment may have lessons for us all". I believe that the real lesson lies in building on the risk based approach, challenging where deficiencies are found in internal controls and compliance and continuing to operate with complete objectivity. These aims are taken from one of the Institute's publications but could easily have been taken from the FSA Handbook. From a regulators point of view strengthening of internal audit can only increase our goals of market confidence and financial stabilty. Outside the financial services sector it can only strengthen confidence in UK business through good corporate governance.

The FSA provides a challenge and will look at how internal audit operates and the controls in place to deliver good practice. Look to investing in IA through people and technology. We will look to you, the internal auditors, to provide us with assurance of effective risk mitigation. When this is achieved, you can expect from us a less "hands-on" and more co-operative approach to regulation. I hope that we will be able to work together to create a better regulated environment for the financial service sector from the standpoint of internal governance and that of external regulation.

Thank you.