In addition, the German Corporate Governance Code was incorporated into company law by the Transparency and Disclosure Act (Transparenz- und Publizitätsgesetz) and has since been developed further a number of times.

For credit institutions, the tasks and position of the internal audit function are firmly established in supervisory law. As the Banking Act (Kreditwesengesetz – KWG) does not contain any specific provisions in this regard in section 25a (it only requires banks to set up an internal audit function as part of an appropriate and effective risk management system), banking supervisors have set forth further details on this provision in their Minimum Requirements for Risk Management (MaRisk, AT 4.4.3 and BT 2; only available in German).

Further development of supervisory requirements

The second MaRisk amendment of 2009 gave the chair of the supervisory board the right to obtain information directly from the internal audit function. This provision has meanwhile been codified by the CRD IV Implementation Act which has transposed the rules of the EU Capital Requirements Directive IV into the Banking Act. Since the latest MaRisk amendment of 2012, banks must also notify the supervisory board if the head of the internal audit function is replaced. Finally, the Ringfencing Act (Trennbankengesetz) incorporated into the Banking Act the provision that management board members must ensure regular reporting to the supervisory board by the internal audit function.

Every management board is obliged to structure the internal audit function in such a way as to ensure that it complies with the ever-changing requirements of supervisors. This presupposes that the internal audit function is able to act in a competent, sovereign, self assured and independent manner. But complying with supervisory requirements is not an end in itself; a strong and efficient internal audit function should be in management’s very own interest.

Example: Internal models

One example of the fact that the interests of the Supervisory Authority and management are, in principal, aligned is the mathematical models used for risk quantification. If a bank wants to use such mathematical models for calculating its regulatory capital charge, these first have to be examined by the internal audit function before they are presented to the Supervisory Authority for approval.

Since the EU Capital Requirements Regulation (CRR) entered into force at the beginning of 2014, banks are faced with more detailed requirements for the ongoing examination of these models. If a bank uses a market price risk model to calculate its capital requirements, the internal audit function now has to examine the entire risk management system at least once a year. Among other things, it must look at how risk measurements are incorporated into daily risk management, whether data are correct and complete and whether the volatility and correlation assumptions are appropriate.

Qualified examination of internal models ensures not only the bank’s stability but also two central aims of banking supervision: the stability and operational reliability of the financial system as a whole and the protection of creditors. The better the models used to determine regulatory capital requirements, the more it can be assumed that the regulatory capital that the banks must use to back their risks does in fact adequately cover these risks. At the same time, the more reliable and valid the results, the more useful the models are for the internal control of a bank, which naturally also applies to models that are not used to calculate regulatory capital requirements but to determine and control the bank's internal capital adequacy.

Flexibility

The environment and the framework conditions of banking business keep changing. This applies not only to market structures and conditions: financial market regulation is also in a permanent state of flux. New legal provisions, including from other areas of legislation, require banks to change their processes, reform their structures and introduce new procedures and methods in cycles that keep getting shorter.

Identifying and assimilating the vast number of new issues on an ongoing basis represents a challenge not only for management boards and the market segments concerned. The internal audit function also has to perform this intellectual adjustment process, i.e. identify and implement relevant changes, analyse their significance and react appropriately. This includes critically examining and revising assessments once made – for example, the classification of an audit area – not only regularly but also and especially in the light of new developments and events, if these are no longer sustainable. This may be prompted by international developments and events, but also by regional or internal factors. Also, problems arising in other institutions might be a reason for institutions to follow up on certain issues in their own institution. In order to be able to fulfil their tasks sensibly, it is important that internal audit function staff do not become professionally blinkered. They should view their institutions from different perspectives and always question established approaches.

Information and expertise

Only the well-informed are able to react flexibly to new developments. That is why the MaRisk require the management board to communicate relevant instructions and decisions to the internal audit function and to inform them in due time of material amendments of the risk management system. The internal audit function must also observe and analyse the external environment proactively in order to be able to react accordingly. The results of these analyses should be reflected in forward-looking audit planning.

The internal audit function's mission to review the control mechanisms integrated in the internal processes and both the risk control and compliance functions is considered to be the "third line of defence"¹⁾. In order to be able to fulfil this task, the staff of the internal audit function must have extensive expertise. They must be able to understand and validate the highly complex valuation procedures for positions and the risks they carry that risk control works with, including the calculation logic of the aforementioned risk quantification models. The internal audit function must be able to understand how the risk values are generated on the basis of the input data, on what assumptions this generation is based and what limits are set on modelling. The IT aspects of risk measurement and management must not be forgotten, either. The internal audit function must also be able to independently assess the risk values determined with risk control models.

In order to be on an equal footing with the business units, the internal audit function is required to know how they take their decisions. And for it to be perceived as a genuine partner and taken seriously, the staff of the internal audit function must also have certain seniority.

Involvement in projects

The pace of innovations the financial sector is currently experiencing has resulted in an increasing number of projects. In order to be fit for the future, banks must optimise processes, reduce costs, better exploit their potential and improve their market presence and penetration. Institutions try to achieve these and other goals by implementing projects. The MaRisk explicitly require the internal audit function to be involved in key projects. It must budget for the necessary capacity – both in terms of number of staff required and their qualifications.

Involving the internal audit function in a project helps both sides. On the one hand, the lead units benefit from the internal audit function's expertise, thus reducing the danger of project managers getting carried away. The internal audit function, on the other hand, can influence projects at an early stage instead of having to stop them at a later point in time. In addition, it gains valuable insights into planned structures and processes early on.

Being involved in a project, however, is always a balancing act for the internal audit function. It must by no means jeopardise its independence. Responsibility lies with the units initiating and/or implementing the project. Since the internal audit function has to audit these units once the project has been completed, it may not hold leading positions in projects or positions in which it can influence project-related decision-making.

The internal audit function's role and internal communication

The perception of the internal audit function's role has constantly changed in recent years. Today, internal audit is no longer limited to blocking ideas and developments. Nowadays, rather, the internal audit function plays a constructive role in these. In so doing, pursuant to the MaRisk internal audit function staff have to keep in mind both legal requirements and potential risks. They should also adopt a business-minded perspective. This will earn them respect within the bank, but is also very demanding: internal audit function staff require not only technical expertise but also personal skills.

If the internal audit function identifies any deficiencies, it must pay particular attention to ensuring that these are remedied. Internal audit function staff must therefore have the courage to speak out. Internal communication, i.e. conveying the audit findings, is almost as important as the auditing itself. The internal audit function has to convince all those involved that its findings and assessments will move the institution forward. In situations where damage to the institution is to be averted, it is usually quite easy to get this message across. It may be harder to convince people of measures the direct benefit of which is less perceptible, for example in the case of measures to improve efficiency or to better exploit potential.

Supervisory boards

Communication is also increasingly important in the internal audit function's relationship with the supervisory board. Since the financial crisis erupted the latter has attracted ever-greater attention from the Supervisory Authority and the lawmakers. In 2009, requirements for the expertise and personal trustworthiness of its members were for the first time enshrined in the Banking Act. CRD IV has brought about further changes: the implementing Act explicitly requires members of supervisory boards to devote sufficient time to their job. Institutions are now also obliged to make adequate personnel and financial resources available in order to enable supervisory board members to improve their skills so that their expertise is always up to date.

Unlike the internal audit function, the supervisory board is not involved in an institution's organisation. In order to be able to fulfil their function they therefore have to rely on information from internal sources. In the German two-tier system of corporate governance, the information is generally passed on to the supervisory board by the management board. But as already mentioned above, the Banking Act also gives the chair of the supervisory board the right to obtain information directly from the head of the internal audit function. If the supervisory board has created a risk or audit committee, this right to obtain information is transferred to their respective chairs. In addition, the Ringfencing Act has introduced a requirement for regular reporting to the supervisory board.

In the light of these new and significantly more specific requirements for supervisory board members, it can be assumed that they will make increasing use of this channel of communication with the internal audit function. Supervisory board members need clear, understandable and unvarnished information as well as objective and critical assessments in order to fulfil their function. In order to do so, they should communicate openly with their internal audit function, both regularly and on an ad hoc basis. German company law leaves plenty of scope in this regard to formalise communication beyond the minimum requirements.

Relationship with the management board and the supervisory board

The internal audit function should be a competent partner for the management board and, increasingly, for the supervisory board. The triangular relationship between management board, supervisory board and internal audit function works optimally only when all three bodies have experienced members who know and accept their roles in this structure. Supervisory law has set a number of milestones to strengthen the role of supervisory boards and internal audit functions in the banking sector.

Footnote

1) The first line of defence is considered to be the (self-)monitoring of business units, the second line of defence the in-process controls by non-operational units, particularly the risk control and compliance functions.