Does Your Internal
Audit Scope Meet Regulatory Standards?
Part One:The Regulatory Standards
One of the areas of focus for the regulators of financial
institutions in the upcoming months will be the scope of the outsourced
audits. We have recently noted a number
of clients that have been criticized for audit scopes that are either
inadequate based upon risk, or are simply not comprehensive.
It is well established that the safe and sound operation of
a financial institution requires among other things, a well-established system
of internal controls. The regulatory
agencies all have a similar definition of internal controls. For example, the Office of the Comptroller of
the Currency in the Management handbook as follows:
Internal control is the systems,
policies, procedures, and processes effected by the board of directors, management,
and other personnel to safeguard bank assets, limit or control risks, and
achieve a bank’s objectives.[1]
Once a system of internal controls has been established by a
Board of Directors, it is necessary to test the effectiveness of the controls
and to make sure that bank personnel are adhering to the limits
established. This is the role of
internal audit. As the OCC handbook
points out;
Internal audit provides an objective,
independent review of bank activities, internal controls, and management
information systems to help the board and management monitor and evaluate
internal control adequacy and effectiveness.[2]
Regular, comprehensive auditing of the operations of a
financial institution are a necessary part of a safe and sound operation. All federally insured financial institutions
are expected to maintain audit departments.
However, for smaller institutions that cost of employing a full time
internal audit staff has proven to be prohibitive. For most institutions with assets of less
than $1 billion, the audit function have been at least partially outsourced.
Outsourcing of the audit function is a well-established a
practice. The Federal Financial
Institutions Examination Council (FFIEC”) recognized this when it issued a
comprehensive policy statement on the process in 2003. The guidance is called “Interagency Policy
Statement on the Internal Audit Function and its Outsourcing”. Since its release, there has been some
additional guidance that has been issued that addresses outsourcing in more
general terms[3] .
However, the guidance first issued in 2003 remains the seminal guide for
outsourcing audit today.
Standards for
Outsourcing
The FFIEC guidance
makes it clear that the responsibility for internal controls remains with the
Board and senior management of the financial institution.
Furthermore, the agencies want to ensure that these arrangements with
outsourcing vendors do not leave directors and senior management with the
erroneous impression that they have been relieved of their responsibility for
maintaining an effective system of internal control and for overseeing the
internal audit function.[4]
The guidance is divided into four parts:
1.
The
Internal Audit function
2.
Outsourcing
Arrangements
3.
Independence
of the public accountant
4.
Guidance
for Regulators
The Audit Function
The guidance notes
that the audit function is the mean by which the Board can test whether or not
internal controls are effective.
Accordingly, directors and senior management should have reasonable
assurance that the system of internal control prevents or detects significant
inaccurate, incomplete, or unauthorized transactions; deficiencies in the
safeguarding of assets; unreliable financial reporting (which includes
regulatory reporting); and deviations from laws, regulations, and the
institution's policies. [5]
The function of internal
audit, then is ultimately to inform the Board, of weaknesses in internal
controls and the possibility of regulatory violations. There is a great deal of discussion in this
section about the reporting structure for the audit function. Ultimately, the critical point from this
section is that whatever reporting structure is developed, the auditor must
have the ability to report directly to the audit committee.
We note that in many
smaller institutions, the results of audits are read out to business line
managers and the final reports are delivered directly to the Board or to the
audit committee of the Board. This
process often does not allow the auditor in charge to communicate directly with
the audit committee. A comprehensive
scope should include a comment on the effectiveness of management to carry out
their assigned duties. The guidance is specific that in small institutions, the
person responsible for testing internal controls should report findings
directly to the audit committee. As a
best practice, a member of the audit committee should attend the exit meeting
and allow the auditor to comment on any concerns that he/she feels should be
directly communicated to the Board.
Outsourcing Arrangements
The guidance notes
that even in the event that the audit function is completely outsourced, it is
still the responsibility of the Board and management to ensure that internal
controls are effective. The outsourced
agreement should take into account both the current and anticipated business
risks of the financial institution.
The guidance details
the minimum requirements for an outsourcing agreement, including the limitation
that outside auditors must not make management decisions and can only act in the
capacity of informing the Board. Once
again, the idea that the outside auditor should communicate directly with a
representative of the Board is emphasized.
One of the areas of
criticism that we are currently seeing is that the internal audit plans do not
adequately consider factors that should be part of the risk assessment. Changes in staff, new regulatory
requirements, software limitations, overall training and experience of
management are all factors that should be considered when developing the
internal audit plan. As a best
practice, the scope of the audits to be performed by the outsourced auditor
should reflect the fact that the Board has considered these factors and
included them.
Independence of the Public Accountant
For many financial
institutions, the temptation is to use the same accounting firm that prepares
financial statements to perform internal audits. This issue presents itself most often with
institutions that are over $500 million in assets, because there is a
requirement for an independent audit on financial statements by a public
accounting firm. Generally, the guidance
limits the ability of public accounting firms to also be the outsourced audit
firm.
For smaller
institutions, there is no prohibition to use public accounting firms, however,
the practice is strongly discouraged.
In large part, the reason for this is that the firm that prepares the
financial statement must be completely independent. The data that is used to prepare financial
statements has to be independently verified.
When the accounting firm performs both of these functions, the
appearance is that independence is lacking.
In other words, the firm that is preparing the financial statements of a
bank may be auditing its own work.
There are several independent firms that
specialize in auditing for financial institutions. These firms tend to provide cost effective
and comprehensive alternatives to the public accounting firms.
Guidance for Regulators
The guidance specifies
the goal of the examiners review of the internal audit. The examiners are directed to ensure that the
audit scope reflects the risk assessment of the institution and the Board has
directed the auditor to consider the areas that are the highest risk. The examiners are also directed to review the
work papers of the auditor to ensure that they support the findings and
conclusions in the audit report.
Examiners will also review how findings are communicated to the Board
and management. There is an expectation
that responses to findings are tracked and monitored.
We have recently
noted that the regulators are criticizing Boards for not receiving information
about the overall effectiveness of the senior managers that they have
employed. Examiners have often been critical
when the audit report does not specifically draw a conclusion about the training,
effectiveness and capabilities of the senior management in charge of the
business line being audited. As we
noted, it is a best practice to allow an outlet for the auditor to communicate
a conclusion about senior management in the audit process.
No comments:
Post a Comment