Sunday, March 15, 2020




Changing Your Outlook on Internal Audits





Part Two- What is a Control Environment?
There are myriad whitepapers and scholarly articles discussing control environment theories. Many of these documents discuss in detail the components of the concept of controls.  At the heart of the matter, the control environment is comprised of your institutions ability to identify the risks inherent in ongoing operations compared to the steps you have taken to mitigate those risks.   Put another way, why DO you have written policies and procedures?  What are they designed to do?   Policies and procedures often seem like an arcane phrase that auditors and examiners like to glibly toss out, but they really are the heart of the control environment.  The process of developing policies and procedures should follow the development of a risk assessment.  Risk assessments are too often performed as a matter of course and then forgotten throughout the year. 
An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness.  For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit.  Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope.  One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls.  For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts.  This are should subsequently be a focus for the internal auditors when the compliance audit is performed.

In the previous blog, we talked about the FFIEC compliance rating system gives a great deal of incentive to follow a process in this order
·         Complete risk assessment covering products and services
o   Plus
·         Development of the policies and procedures designed to address the risk identified in the first step
o   Plus
·         Development of the policies and procedures designed to address the risk identified in the first step
o   Equals
·         Your control environment  

Of course, that is not the end of the story.   If fact, that is only the first half.   Once the control environment has been established, it is critical to determine which controls are preventative and which are detective.
Preventative Controls:  are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages.   Put another way, preventative controls are designed to keep bad things form happening at the inception.
Detective Controls:  is an internal control intended to find problems within a company's processes. Detective controls are designed to find problems in delivery and implementation
The way that you test these controls depends on how they are designed to work.  In the case of preventative controls, the test is to determine whether they keep a transaction form being completed based upon an error.  Detective controls are designed to catch problems in the overall process such as adverse actions that have a problem trend.   
Consider the implications for the internal audit process.  The current process tests the results and not the control environment.  Your auditor could test 50 loans and find no problem.  The conclusion that is drawn is that all is well; but really how do you know that loans 51-70 are not all problem loans?   The idea here is to self-police by testing the control environment  
As we noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for regulators.  Regulators have focused on whether the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution.  It is the second of these two considerations that has most often caused findings and created concerns.    It is, therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.
A control risk assessment (or risk assessment methodology) documents the internal auditor's understanding of the institution's significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]
At smaller institutions, there generally is not a full-time internal auditor on staff.  This does not obviate the need for comprehensive and timely risk assessments.  Unfortunately, the risk assessment process is often overlooked.   The risk assessment should consider the following:
Past Examination and Audit Results-
It goes without saying that the past can be a prelude to the future.   Prior findings are an immediate indication of lack of effectiveness of internal controls.  It is important that the root cause of the finding or recommendations from regulators is identified and addressed.  Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.
Changes in Staff and Management
Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to past procedures may become confused.  Change generally increases the possibility of findings or mistakes.   Your risk assessment should take into account the risks associated with changes and how best to address them.  In addition, this is an area that should be covered by internal audit as it presents a risk.
Changes in Products, Customers or Branches
It is also important that your risk assessment consider all of the different aspects of changes that have occurred or will occur during the year.  Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution.    The resources necessary to address these changes should also be a consideration for the internal audit.
Changes in Regulations
Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact smaller institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that will affect your institution.  The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.
Monitoring systems in place
The information systems being employed to monitor the effectiveness of internal controls should be considered.  For many institutions, this system is comprised of word of mouth and the results of audits and examinations.  Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]
Using the Risk assessment to Set Audit Scopes
Once a risk assessment is completed, the results should be directly tied to the internal audit schedule.   The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:
An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]
The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.
The criticism that is often raised about outsourced audit is that the scope is incomplete.  This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions.  While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution.   Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.
In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institution.  For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment.  Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope.  In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk.  Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.
Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff.  This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations.  This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management?  To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?
Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.


[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing
[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)