Does Your Internal
Audit Scope Meet Regulatory Standards?
A Two Part
Series-Part TWO-Setting the Scope
As we noted in the
first part of this series, the scope of the internal audit function at
financial institutions has been an area of focus for regulators.
In particular, regulators have focused on whether or not the scope of
internal audits meets both regulatory standards and is appropriate in light of
the overall risk profile of a financial institution. It is the second of these two considerations
that has most recently caused findings
and created concerns. It is therefore,
critical that the scope of audits reflect an understanding of the risks
inherent at your financial institution.
Using Risk Assessments Effectively
The Federal Financial Institutions Examination Council
(FFIEC”) issued a comprehensive policy statement on the audit process in 2003. This statement is still the definitive
regulatory guidance on the proper development and maintenance of the internal
audit function for financial institutions.
The guidance states that risk assessments are a key component of
internal audits. A risk assessment is
defined as follows:
A control risk assessment (or risk assessment methodology)
documents the internal auditor's understanding of the institution's significant
business activities and their associated risks. These assessments typically
analyze the risks inherent in a given business
line, the mitigating control processes, and the resulting residual risk
exposure of the institution. They should be updated regularly to reflect
changes to the system of internal control or work processes, and to incorporate
new lines of business.[1]
At smaller institutions, there generally is not a full time
internal auditor on staff. This does not
obviate the need for comprehensive and timely risk assessments. Unfortunately, the risk assessment process is
often overlooked. The risk assessment
should consider the following:
Past Examination
and Audit Results-
It goes without saying that the past can be a prelude to the future. Prior findings are an immediate indication
of lack of effectiveness of internal controls.
It is important that the root cause of the finding or recommendations
from regulators is identified and addressed.
Internal audits should coordinate with the risk assessment to test the
effectiveness of the remediation.
Changes in Staff
and Management
Change is inevitable and along with changes comes the
possibility that additional training should be implemented or that the
resources available to staff should also change. For example, suppose the head of Note Operations
is brand new. This new manager will want
to process loans using her/his own system.
Loan staff who may be used to past procedures may become confused. Change generally increases the possibility of
findings or mistakes. Your risk
assessment should take into account the risks associated with changes and how
best to address them. In addition, this
is an area that should be covered by internal audit as it presents a risk.
Changes in
Products, Customers or Branches
It is also important that your risk assessment consider all of the different aspects of changes that have
occurred or will occur during the year. Any
new products or services, new vendors, and/or marketing campaigns that are
designed to entice new types of customers are all changes that impact the
overall risk profile of the institution.
The resources necessary to
address these changes should also be a consideration for the internal
audit.
Changes in
Regulations
Over the past few years, there have been a huge number of
changes to regulations, guidance and directives from Federal and State
agencies. Many of these changes do not
impact smaller institutions directly, but many do. Moreover, there are often regulations that
are finalized in one year that don’t become effective until the following
year. Part of your risk assessment
process has to consider changes that will affect your institution. The internal audit scope should also consider
whether the institution is prepared to meet changing regulatory
requirements.
Monitoring systems
in place
The information systems being employed to monitor the
effectiveness of internal controls should be considered. For many institutions, this system is
comprised of word of mouth and the results of audits and examinations. Information used by senior management and
reported to the Board should be sufficient to allow credible challenges by the
Board.[2]
Using the Risk
assessment to Set Audit Scopes
Once a risk assessment is completed, the results should be
directly tied to the internal audit schedule.
The FIIEC guidance points out the relationship between the internal
audit plan and the risk assessment:
An internal audit plan is based on the control risk
assessment and typically includes a summary of key internal controls within
each significant business activity, the timing and frequency of planned
internal audit work, and a resource budget.[3]
The risk assessment should prioritize the potential for
findings, while the audit scope should be developed to test mitigation steps
made to reduce findings.
The criticism that is often raised about outsourced audit is
that the scope is incomplete. This is
often the case because outsourced vendors have developed their scope based upon
best practices, and their experiences at various institutions. While this is obviously a best practice for
the audit vendor, the problem is that it doesn’t always fit the individual
institution. Information from a
comprehensive risk assessment should be incorporated into the scope of an
internal audit.
In this manner, the auditor can best consider the areas of
risk that are the highest priority at a particular institutions. For example, when developing the scope for an
independent audit of a BSA/AML program, the scope should include the most
recent risk assessment. Changes in the
customer base, an increase in the overall risk profile of the bank or a change
in personnel are all factors that should be included in the audit scope. In addition, the auditor should consider
whether current monitoring systems have the capability to properly monitor the
additional level of risk. Finally, the
professional abilities of the BSA staff should be considered as they relate to
additional risk.
Ultimately, it is the responsibility of the Board to ensure
that the internal audit is effectively testing the strength of internal
controls.
[1] Interagency
Policy Statement on the Internal Audit Function and its Outsourcing
[2]
See for example, OCC Guidelines Establishing Heightened Standards for Certain
Large Insured National Banks, Insured Federal Savings Associations
[3]
Interagency Policy Statement on the Internal Audit Function and its Outsourcing
No comments:
Post a Comment