With its succession of scandals, one more popping up each time the bank seeks to move on from the last one, Barclays is in the unfortunate position of resembling the blighted Wells Fargo. Fined billions of pounds for foreign exchange rigging and LIBOR interest rate manipulation, the bank is now being investigated by the US Department of Justice over misselling subprime mortgage securities, and by British authorities for alleged criminal activity over the terms of a fundraising in Qatar. Both British and U.S. regulators are investigating the bank’s CEO, Jes Staley, because of his attempt to find out the identity of a whistleblower in 2016. And, of course, it was involved in the insurance misselling scandal along with every other bank in the U.K.
And in an even closer parallel to Wells Fargo, there appear to be further scandals associated with the bank’s wealth management unit. One of its executives, Andrew Tinney, was publicly censured and banned from holding any senior position by the Financial Conduct Authority (FCA) back in 2016 over allegedly destroying a controversial report. He is now challenging this decision, claiming it was based on hearsay. The critical report into the wealth unit’s American team was written by Genesis Ventures, and said, according to the Financial Times that the unit “pursued a culture of revenue at all costs” and was “hostile to compliance." Indeed, there are so many investigations going on at the bank that both the FCA and the Prudential Regulatory Authority (PRA), the unit of the Bank of England tasked with overseeing banks and financial organisations, declined to comment for this article.
With such a litany of scandals, one would hope the board’s audit committee report would be particularly robust. Fortunately, this is the case. The head of governance at the Institute of Directors (IoD), Dr. Roger Barker, said that “if you are a company like Barclays it doesn’t pay to try to present a rosy picture because you want people to have confidence that you are dealing with the issues.” Barker added that the reputation of the audit committee chairman, Mike Ashley, a former head of quality and internal control at KPMG Europe, is particularly strong, and may be responsible for the report’s meaningful disclosure rather than the standard boilerplate. Ashley also sits on the board’s reputation and risk committees. There are now five independent directors on the audit committee, since the bank appointed another in September last year.
In fact, the audit committee report is littered with new initiatives and remediation processes. There is a Controls Maturity Model, which examines major issues identified in the bank’s internal controls systems. This is part of the bank’s new Barclays Internal Controls Enhancement Programme (BICEP). The BICEP programme now identifies material control issues at the “first line” of defence, i.e., management, rather than the “third line” of defence, Barclays Internal Audit (BIA). The audit committee also noted enhancements being made to Barclays’ risk and control self-assessment (RCSA) process. The committee uses output from RCSA to review the control environment. However, finding such an overview somewhat informative, the committee is pleased that management will introduce a more “granular process which should provide greater visibility on controls requiring remediation and associated risks.” This approach was piloted in 2017 and will be rolled out across the Group in 2018.
Audit committee's actions and conclusions regarding internal audit, an example of the robust disclosure
The Committee received semi-annual thematic controls reports from BIA and a quarterly operational report during 2017.
The Committee reiterated its support for BIA’s recruitment plans which reflected significant activity during 2017 to ensure appropriate audit coverage to support the focus on BIA quality across the audit cycle. The Committee Chairman provided input into the recruitment of the two key roles of Head of Internal Audit in Barclays UK and Barclays International.
The Committee observed that the issues arising from unsatisfactory audits indicated that there was still work to do in embedding the required level of control consciousness across the Group and ensuring that control exceptions were highlighted clearly in management reporting. The Committee also requested that senior management support BIA in holding individuals accountable for failure to remediate risks effectively where they had failed BIA validation.
The Committee confirmed that it was satisfied with the outcome of the self-assessment of BIA performance and the independent external review, both of which evidenced that the function generally conforms to the standards set by the Institute of Internal Auditors. It further confirmed that it felt able to rely on the work of BIA in discharging its own responsibilities.
The Committee is providing oversight over the actions arising from the external review.
The status of “specific material control issues and associated remediation plans, including in particular those relating to model risk, resilience, cyber, compliance, technology, credit risk, transaction operations and data management” was also evaluated. Many of these control issues were still ongoing at the end of the year but were reported as “on track.” The committee also challenged progress on the “lessons learned process,” and management took steps to enhance this process and “ensure compliance,” giving this key task to the Chief Controls Office.
The committee also investigated the results of the Designated Market Activity (DMA) remediation plan. This plan monitors the application of Barclays’ regulatory commitments to the Federal Reserve and other U.S. and U.K. regulators over its “sales and trading practices across the FX, Rates and other markets related business areas.” The report also describes a number of unsatisfactory audit reports that were presented from a number of business units, and says that the committee “challenged the business regarding their role in identifying the control issues and requested confirmation from management regarding the remediation programme, timeframe and accountability for delivery and which are subsequently monitored.”
Enhancements were also made to the whistleblower programme as a result of the FCA/PRA investigations of the CEO noted above. An independent review was commissioned by the board, and the board also conducted a survey, the “Your View Survey”, which gathered employees’ views on “their ability to safely speak up… and whether they could report instances of dishonest or unethical behaviour without fear.”
The committee was also involved in the recruitment of key roles to BIA, the heads of Internal Audit in Barclays UK and Barclays International. There has been other recruitment at BIA, though, according to the FT, Barclays’ head of compliance and its head of whistleblowing both left in October, and its head of security took a leave of absence. The committee also commissioned an independent review of BIA which Deloitte undertook during the second half of 2017. The Chartered Institute of Internal Auditors requires an independent external review of internal audit functions to be carried out at least every five years. Deloitte’s review supported an increased headcount for BIA.
In its review of BIA, the committee observed some unsatisfactory audit outcomes that “indicated that there was still work to do in embedding the required level of control consciousness across the Group” and that control exceptions had to be highlighted clearly in management reporting. It was also thought necessary to encourage senior management to support BIA in holding employees accountable for” failure to remediate risks effectively” where they had been identified.
As an investor, especially an indexed investor required to own the stock, there is considerable confidence in this level of activity by the audit committee that, at least in the future, the train of scandals will at least decrease in speed.