Metrics of internal audit effectiveness in banking sector

A city is a complex creation, not only urban, occupying a specific space, but above all a collection of various socio-economic relations placed in space. The influence of space with the quality of these relations (created during the transformation under the influence of the global neoliberal economy) on shaping the space is unquestionable, hence the growing importance of sociology and sociologists in attempts to define the city and its development. The article is a voice in the discussion about the development of Warsaw, which was launched by the book Joanna Kusiak Chaos Warsaw. Spatial orders of Polish capitalism. This article attempts to analyze the metrics of internal audit function effectiveness. The authors review and discuss the metrics perceived as most relevant and appropriate to the banking sector. The literature review is supported by an attempt to introduce an additional metric of the internal audit function effectiveness. The methodology adopted in this paper bases strongly on the qualitative approach. The article involves an analysis of available literature and own studies, as well as authors’ professional experience in auditing. The metrics of internal audit function effectiveness presented in modern studies strongly favor qualitative approach, focused on assessing the input, process and output of internal auditors, and most notably recommendations issued and their implementation by organizations’ management. The authors suggest supplementing the list of available metrics with an additional method, strongly connected to financial performance of the banks employing the internal audit function. This article introduces an additional possible way of measuring the effectiveness of the internal audit function. This metric can be considered by the banks and can be further empirically verified for appropriateness by entities from other industries, from both private and public sector. related to the method of using BI and the elements that affect it. However, on the way to a certain level of efficiency when it comes to the use of BI, there are obstacles that inhibit or prevent its achievement. The aim of the work is to identify barriers that reduce the effectiveness of BI use in enterprises. have a impact on development

This article attempts to analyse the discussion in the topic of measurement of internal audit function effectiveness. Academic research on the subject is presented in literature since early nineties, but only recently the number of available positions significantly increased. Authors of this paper review the metrics perceived as most relevant and appropriate to the banking sector. In the further part of the article authors suggest introducing additional metric of the internal audit function effectiveness which is perceived suitable for banks.
Before any measurement of Internal Audit function effectiveness could be taken, aims of this function should be considered. Commonly accepted definition of internal auditing is publishedand regularly updated based on changing environmental and business conditions, current version stemming from 2016 -by The Institute of Internal Auditors. It summarizes the nature and scope of internal auditing as well as provides its essential purpose. According to this definition, Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and im-prove the effectiveness of risk management, control, and governance processes (The Institute of Internal Auditors, 2016). Therefore, the definition clearly underlines the core reason of employing internal audit function by the organisation that is bringing value and enhancing its operations.
These expected results could be reached utilizing both activities of internal audit function: assurance and advisory. Assurance services, protecting value of the organization, check compliance with law provisions, adherence to internal regulations and performance of organization's internal control and governance systems. Advisory services, aimed at supporting value creation, help in undertaking best possible decisions, considering organization's stakeholders, its limited resources and expected outcomes (Bednarek, 2016).
Value creation is also supported by on-going professionalization of the internal auditors throughout the world. Given created educational and certification programmes dedicated for internal auditors, professional conferences and gatherings as well as official recognition of the profession by local governments the approach to the tasks is becoming more and more unified and standardized, what adds to common understanding of the function as well as the tasks that are associated to it (Gacoń, 2013).

Recommended metrics of internal audit function effectiveness
Although the idea behind basic goals of internal audit is general and straightforward, there is no agreement for the metrics that would be accurate in measuring the effectiveness of the internal auditing function. Academics and professionals argue not only regarding how it should be verified, but also what particular aspects should be subject to measurement to represent the level of effectiveness. Variables differ in recent publications. Researchers of this issue throughout the world recommend multiple different metrics to be followed. As internal auditing function evolves in time and nowadays should be treated as proactive, advocative duty supporting organization's management rather than back-office unit focussing on compliance issues and analysis of financial data, its recommended metrics are aligned with modern metrics of corporate performance.
M.S. Badara and S.Z. Saidin suggest that possible antecedents of internal audit effectiveness could include effective internal control system, audit experience, risk management and internal auditors' cooperation with external auditors (Badara and Saidin, 2016). Effective internal control system utilized to safeguard organization's assets is first indicator of internal audit effectiveness, as according to academics internal auditors' credibility is enhanced by effective internal control system and very often auditors depend on internal controls while performing their activities. Second metric -audit experience -represents qualification, education and knowledge of the auditor or auditors forming the internal audit function. More experience and deeper knowledge enable auditors to examine commissioned areas more comprehensively and issue more accurate and value-brining recommendations. Risk management is considered third metric due to its close link with in-ternal audit. Management's awareness of the risks indicated by internal audit help organization reaching its goals. Fourth and final metric is cooperation between internal and external auditors. This cooperation is considered key to quality and valuable auditing and could limit auditee's engagement to a reasonable level. This metric could be measured by the degree of internal auditors work that is relied on by the external audit.
Concept of 'value added' approach to internal audit function effectiveness measurement is suggested by R. Rupšys and V. Boguslauskas, who underline the importance of such measurement considering the growing number of internal audit's function stakeholders, including senior management, audit committee and external auditors. These academics suggest incorporation of the three-dimensional approach to the value added concept, dimensions being internal audit input, process and output (Rupšys, Boguslauskas, 2007). Input, that should be understood as all the resources utilized to run internal audit function, include among other auditors training, number of certified auditors, experience in both internal auditing and organization's industry, technology level used and best practices applied. Process, representing the actual acting of internal audit function, is composed by i.a. services rendered by internal auditors, time to address management's questions, completing the audit plan, chargeability, average duration of audit engagement and issued audit reports. Third dimension in the metric suggested by Rupšys and Boguslauskas, output, focusing on the results of internal auditors' work, comprises of management requests number, satisfaction level of the auditees, percentage of implemented recommendations and internal audit function's perception in the eyes of organization's senior management and audit committee.
Considerations about metrics to assess internal audit's effectiveness by Mihret, Kieran and Mula are opened with on one hand obvious, yet difficult to determine factor, that is meeting the purpose of internal audit's function (Bourne, et al, 2000). If the reason to employ internal auditors in the organization is helping organization to meet its objectives, then internal audit should be monitored for rendering such help. The researchers quickly conclude, however, that given lack of empirical evidence supporting the link between existence of internal audit function and meeting the goals of the entity this metric has only hypothetical use. Authors suggest more comprehensive set of metrics, composing of three groups of factors.
First group encompasses internal audit effectiveness indicators: objectivity, proficiency, quality of work performed. Second one embraces management actions done after receiving internal audit recommendations. Authors conclude that even best advice stemming from internal audit work cannot be claimed useful unless implemented by organization's management. Third group, focusing on financial results of the organization, relates to return on capital employed -ROCE.
Having internal audit function according to Mihret et al. not only helps to increase such returns, but also supports accuracy of the returns reported. Authors argue, however, that this set of suggested metrics of internal audit function effectiveness should be considered only bearing in mind the characteristics of the unction itself and the organization employing it. Most notably, type and size of the organization, risk exposure, external audit actions, cooperation with the auditees and internal audit charter should be weighted.
Different angle of looking at internal audit function effectiveness is presented by Italian academics, M. Arena and G. Azzone. Researchers conclude after Sarens and Gramling that internal audit's usefulness should be considered relating to risk: identification, monitoring and improvement (Arena and Azzone, 2010). Still, internal auditors work is highly dependent of organization's senior management opinion on their work. Management'sfrom Board of Directors and Audit Committee to line managers, being most frequent auditees -consent on value-adding character of internal audit is the key factor to IA function success and further its effectiveness. Only willingness to cooperate with internal auditors demonstrated by the management, especially since internal auditors are often only indirectly responsible for internal control and risk management functions in their organizations, can bear fruits. Without that, willingness to implement internal audit recommendations is only limited. Senior management perceiving auditor's advice as valuable, of high quality and reliable would eagerly exploit provided recommendations.
Polish academics are also active in determining which metrics can be utilized in assessing effectiveness of internal audit function. P. Bednarek in his article mentions that value added by internal audit can be recognized in three areas: internal audit processes, its products or results. This consideration is not far from R. Rupšys and V. Boguslauskas suggestion of using three-dimensional approach to assessment of internal audit function effectiveness (Bednarek, 2016).
The researcher, after K. Czerwiński, accepts that financial values are not best metrics to assess effectiveness of internal audit function. The reasons for that are numerous: first and most obvious is that it is uneasy to determine which data should be utilized, one of the other factors considers that internal auditors would consume much of their time to identify and support such financial metrics to prove the reasons of their existence in the organization. P. Bednarek on concluding the review of publications on the subject underlined that metrics which can be deemed most useful are completion of the audit plan and internal audit results metrics. Moreover, he suggested two subjects of empirical examinations that should follow conducted review. First review should focus on determining that organization experiences higher returns on capital employed after employing internal audit -and this is in line with Mihret's considerations. Second field of review considers public sector entities and is aimed at verifying whether organization experiences cost reductions as a result of internal auditors' work.
Difficulties in establishing clear financial criteria for measuring effectiveness of internal audit function are also mentioned by A. Tomaszkiewicz (Tomaszkiewicz, 2010). Author underlines that value-added approach to evaluating internal audit function should consider risk management and consulting areas, at the same time underlining that consulting recommendations and advice can also stem from assurance services rendered by internal auditors. Refraining to the frequently used term that function which cannot be assessed for effectiveness is difficult to manage, Tomaszkiewicz agrees that pure financial assessment of internal audit function would be only limited and not free from errors and omissions. Therefore, more versatile approach is recommended, embracing also preventive character of internal audit services (financial value added on one hand, but preventive character of not losing resources again due to the same reason is also desired and adding value) and number of issued recommendations. Author also suggest using a weighted approach to assess particular recommendations, bearing in mind that their gravity depends on the area where they are given. Organization itself should prescribe weights to particular recommendations, for example giving higher values to advice in the area of strategy and lower grades to recommendations relating to current activities and not influencing direction of organization's development.
Introducing additional measure if IA effectiveness to be used by the banks As presented above, there are many methods of measuring the effectiveness of internal audit. However, none of them is recognized by the whole industry as comprehensive and universal enough to serve as a role model. Unfortunately, it does not help executives to productively manage internal audit function and streamline its efforts in order to maximize its value for a bank. Considering special role of the banks in economy and their proneness to agency problem due to dispersed ownership, internal audit function employed by the bank leans towards assurance services rather than consulting role. Moreover, highly regulated environment of the banking sector, having disciplinary influence on the market, what was empirically confirmed by A. Hryckiewicz-Gontarczyk and M. Pawłowska (Hryckiewicz-Gontarczyk and Pawłowska, 2014), further leads to increase of the assurance impact of internal audit function. Therefore, basing assessment of the function's effectiveness on sole qualitative metrics, without pursue to utilize some financial indicators, should be regarded inadequate. This article is an attempt to propose a measure which could be used as a starting point and "common denominator" to assess internal audit's effectiveness in banking sector.
According to The Polish Banking Act all banks must have internal control system. Its purpose is to ensure: • effectiveness and efficiency of the bank's operations; • reliability of financial reporting; • compliance with the risk management principles at the bank; • compliance of the bank's operations with the provisions of law, internal regulations and market standards. Such a system consists of: • control function responsible for ensuring the operating effectiveness of control mechanisms; • compliance unit responsible for identification, evaluation, control and monitoring the risk of non-compliance of the bank's activities with regulations, laws, internal procedures and market standards and presenting reports in this area; • internal audit unit responsible for examination and assessment, in an independent and objective manner, adequacy and effectiveness of the risk management and internal control systems (excluding its own, i.e. internal audit's, activity).
Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. The same approach is applied in Recommendation M on operational risk management in banks issued by Polish Financial Supervision Authority (FSA) and in Supervisory Review and Evaluation Process (SREP) run by FSA.
Based on the above landscape and division of roles and responsibilities, one could form a hypothesis that a regular internal audit function in a universal bank is primarily focused on operational risk (i.e. examination and assessment of internal processes, people, systems and external events). Therefore, its effectiveness may be evaluated from the perspective of operational risk management where the measure of success would be the level of operational risk materialization, i.e. operational losses.
As per requirements of The Capital Requirements Regulation (CRR), this information is mandatory and is published by most banks, including the ones listed on Warsaw Stock Exchange in Poland. It is worth noting that: • it is reliable as it is included in disclosures on capital adequacy which are validated by the bank's external audit; • it is easily and publicly available (e.g. via the Internet); • it is comparable between banks and therefore it can serve as a benchmark. The WIG-banki index, which includes banks listed on Warsaw Stock Exchange, consists of 15 entities. In this article data was gathered and analyzed for 9 of them (60% of population) which are the biggest in terms of assets for the period of the last 5 years, i.e. 2013-2017.
The level of operational losses is presented on the following Charts 1 and 2. Obviously, analyzing operational losses data in absolute values makes little sense and provides limited cognitive value to the appraiser. This data needs to be correlated to other metrics to become meaningful indicator which can be compared amongst banks. Revenues or assets seem to be the best fit for this purpose.
Level of operational losses to assets is presented on Charts 5 and 6.
Although slight differences may be observed, the overall distribution of both ratios (OpLoss/Reve, OpLoss/Assets) is almost the same. Therefore, both may be used as -imperfect but valuable -measure contributing to the assessment of the effectiveness of internal audit in banks. The average levels of those ratios are presented in table 1 and table 2 below.
The average for the whole sample (9 banks which are listed on Warsaw Stock Exchange and are the biggest in terms of assets) for the period of 2013-2017 amounts to 0,52%.
The average for the whole sample for the period of 2013-2017 amounts to 0,02%.
Source: own elaboration based on data published by the banks. OpLoss/Assets (avg.) 0,02% 0,02% 0,03% 0,03% 0,02% To conclude, it is recommended to use the OpLoss/Reve ratio, rather than the OpLoss/Assets one, as it is more precise and sensitive to changes and fluctuations. Based on performed analysis it may be proposed to assume that the value of the OpLoss/Reve ratio on the level of 0,50% is considered to characterize banks with effective audit (i.e. satisfactory assessment).