ANZ will rely on staff brought in from EY to assist the bank’s internal policing function while the consulting firm also carries out dozens of projects worth tens of millions of dollars in fees at the bank, raising concerns about the independence of EY’s advice.
The bank’s internal audit team, which supplements its members with “subject matter resources” from EY and other consulting firms, is required to submit fearless independent evaluations about the effectiveness of ANZ’s internal controls to the board audit committee. At the same time EY, like any external service provider, has a strong commercial incentive to maintain a good working relationship with the bank and its executives.
The arrangement raises questions about the ability of any external advice to be truly independent when there is a larger and ongoing commercial relationship with the client, an issue that has been raised by the Hayne royal commission over Clayton Utz’s “independent report” to AMP and regarding multiple “independent reports” produced by EY for insurer Allianz.
The Australian Financial Review has learned the details of EY’s pitch at the end of August to renew its spot on the ANZ internal audit panel.
The ANZ internal audit team uses a “co-sourcing” model, common across the big four banks, where external consultants from a panel of pre-selected firms are used on a project-by-project basis as specific expertise in technology, cyber-security and global markets is required, a bank spokesman said.
“The independence of co-source providers is regularly reported to the audit committee and processes are in place to ensure they are not involved in oversighting work completed by their firm. The total budget for the co-source panel is less than $2 million,” he said.
EY, which did work worth more than $20 million at ANZ in the 2017 financial year, is on a number of internal audit panels across industry and a spokeswoman said that the firm was only a secondary member of the ANZ internal audit panel with no guarantee of work. She added that the firm had strict “processes and protocols in place, as do our clients … to ensure internal audit objectivity is not compromised.”
Internal audit polices controls
The Financial Review has been told that EY’s pitch to continue to be a part of the panel arrangement highlighted that ANZ needed support in a broad range of areas including technology, treasury, risk modelling, financial crime, retail banking, culture and wealth management.
The pitch involved highlighting that 16 of the 22 proposed EY team members had worked previously on ANZ projects with fees ranging from $1450 a day for a general audit consultant through to $5600 a day for a specialist audit partner.
This “internal audit core team” proposed to ANZ includes Tim Dring, the lead partner in EY Oceania’s banking and capital markets team, as the “engagement partner”. Mr Dring is described as having a reporting line to the firm’s ANZ global client service partner, Gerald Dalbosco.
Internal audit teams, known as the third or final line of governance defence, are tasked with ensuring that non-financial systems within a company operate as expected and in order to maintain their independence should report directly to the board’s audit committee.
The prudential regulator’s report into failings at the Commonwealth Bank of Australia highlighted the importance of having a strong internal audit function.
Member body Institute of Internal Auditors has made a submission to the Hayne royal commission asking for extra powers for the function including a guaranteed reporting line to the head of the audit committee, after claims they had lost their authority in large corporations.
The institute would not comment directly on ANZ’s internal audit arrangements but noted that that professional service firms had to “be careful to avoid conflicts of interest” if they perform both internal audit and other work for a client.
“The notion that ‘Chinese Walls’ operate to avoid conflicts of interest sounds theoretically achievable, but the reality is it places enormous pressure on the head of internal audit and the audit committee to rely on the advice of consultants, and at the same time ensure that the objectivity, independence and integrity of the internal audit function is maintained,” the institute’s CEO Peter Jones said.
EY on a number of panels
An EY spokeswoman said the institute itself said that internal audit cannot be “independent” given it is “a function of management” and achieves a level of independence through direct reporting to the audit committee and its chairman.
EY is on a “number of panels to provide services to government and business enterprises” and does internal audit work at financial companies including Westpac, CBA, Insurance Australia Group and Macquarie Bank.
“We are not the primary co-sourcing internal audit partner of ANZ but as a member of a secondary panel of firms may be asked to provide assistance to the internal audit team, as long as the necessary objectivity requirements are met,” she said.
“Being on a panel is no guarantee of work. Panels are often established to enable an organisation to select a firm that has the relevant skills and expertise and is not conflicted from performing the work in a particular area..
“Whether it be ANZ or any other client we have strict processes and protocols in place, as do our clients, and these are applied to ensure internal audit objectivity is not compromised.”
In its pitch, the consulting firm itself noted the extent of work it is doing across the firm and proposed a process to ensure that the firm would not evaluate any work or systems that EY had previously done for the bank.
But the possibility of conflict was present even in the pitch with EY making it clear that its “overall relationship” to ANZ was of “paramount importance” to the firm.
The Financial Review has been told that other projects the firm is currently working on include cyber-security testing and “Project Edison” work around the sale of ANZ Wealth’s systems to IOOF.
EY has also helped ANZ put together a report about the bank’s risk management function, based on “Prudential Standard CPS 220”, for prudential regulator the Australian Prudential Regulation Authority. APRA requires this report to be completed every three years “by operationally independent, appropriately trained and competent persons (this may include external consultants)”.
The royal commission heard that executives at insurer Allianz allegedly had consultants EY “rewrite with a more balanced view” an independent risk report that had to be provided to APRA, an allegation EY has strongly denied.
Email the reporter at firstname.lastname@example.org