Like most industries, the banking industry is cost-conscious, and, to some bankers, the internal audit function, whether it is housed internally or outsourced to a third party provider, may be viewed as merely a cost center with very little benefit to the institution's bottom line. But when another all-too-familiar headline shouts that fraud has damaged or crippled a company, most bank directors and executives are thankful for their internal audit function.
In April 2003, the regulatory agencies issued a joint policy statement, Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, that amended a 1997 statement. As stated in the policy:
"The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function."1
This article seeks to provide a refresher on this statement and to address some areas that directors and senior management should review to ensure effective oversight of their institution's internal audit function.
The 2003 Policy Statement
The amended policy statement was issued to bring supervisory policy in line with the provisions of the Sarbanes-Oxley Act of 2002, as well as pertinent regulations of the U.S. Securities and Exchange Commission (SEC). As a result, banking organizations subject to Section 36 of the Federal Deposit Insurance (FDI) Act-essentially those with $500 million or more in assets-are required to comply with the Sarbanes-Oxley Act prohibition on internal audit outsourcing to their external auditor.2
The amended policy statement also indicates that institutions that are not subject to Section 36 of the FDI Act and are not SEC registrants are encouraged not to use their external auditor to perform internal audit services.
The policy statement is divided into four parts:
Part I: The internal audit function. Details key characteristics of the internal audit function and focuses on director and management responsibility for providing an effective system of internal controls and an effective internal audit function. The guidance recommends that institutions consider the placement of the audit function in the management structure to provide directors with confidence that internal audit can perform its duties with impartiality and will not be unduly influenced by managers of day-to-day operations. The guidance also expounds on: (1) management, staffing, and audit quality; (2) scope of testing and reviews; (3) communication of audit issues; and (4) contingency planning.
Part II: Internal outsourcing arrangements. Discusses sound practices for the use of third-party outsourcing arrangements. This section provides examples of outsourcing arrangements and then details additional considerations for outsourcing arrangements, including: (1) contracts with vendors, (2) reviewing vendor competence, (3) management oversight, (4) communication of findings, and (5) contingency planning.
Part III: Independence of the independent public accountant. Describes the effect outsourcing arrangements have on the independence of an external auditor who also provides internal audit services to an institution. There are three sections in Part III that outline the applicability of the SEC's auditor independence requirements to public companies, insured depository institutions subject to Section 36 of the FDI Act, and non-public institutions that are not subject to Section 36. Also included is information on the AICPA's independence guidance.
Part IV: Examination guidance. Addresses how examiners assess the quality and scope of an institution's internal audit function, regardless of whether it is performed by the institution's employees or by a third party, to determine compliance with the areas defined in the previous three parts. In addition, examiners will generally review audit reports and workpapers on a sample basis to attain a comfort level with the audit function. If the institution is deemed to have a strong audit function and examiners are comfortable relying on the audit coverage in place, it will likely result in a reduced need for examiner transaction testing, which may result in less on-site examination time.
There's More to Audit Than Just Audit Reports
Very often, directors and senior management review significant amounts of information in very detailed reports that can sometimes distract from the big picture. While audit report details are certainly important, especially with regard to high-risk and/or problem areas, directors also need to focus on the administration of the audit function to ensure it remains reliable.
So, what are some of the high level items that directors and senior management should review? Several areas that serve as a foundation for any internal audit function are outlined below. Next to each item is a suggested review interval, but each financial institution should tailor such intervals to suit its own needs and comfort level.
Audit risk assessment (annual). Audit risk assessments should be performed by the audit manager at least annually. The assessment, which encompasses all areas of the organization (also known as an audit universe), serves to focus audit efforts and staffing resources on higher-risk areas more often than lower-risk areas. By establishing an audit frequency, the auditor is able to derive an audit schedule and estimate audit resource requirements.
Risk assessments can vary in complexity, but at a minimum should take into account the internal control environment; prior audit ratings/findings; and changes that have occurred in personnel, controls, or business lines. No matter how complex the risk is, a good auditor will be able to explain and defend the audit risk assessment.
Audit schedule (semiannual). The schedule should be reviewed in the beginning of the year, in conjunction with the audit risk assessment, and again at mid-year, to determine how well the audit schedule is progressing. Conducting a mid-year review will alert directors and senior management to problems in specific areas or with regard to audit staffing and resources (especially if the audit schedule is consistently behind).
Audit ratings and trend analysis (each meeting). Audit ratings, like loan risk ratings, serve to alert audit committee members to the severity of an audit report. An audit rating system (i.e., Excellent, Satisfactory, Needs Improvement, Unsatisfactory) will convey a concise and consistent method for communicating the risk posed by the area audited. The rating system should be appropriately stratified, with descriptions for each rating category, and uniformly applied to all audit reports. Finally, the rating system should be presented to and approved by the board of directors or its audit committee.
The audit rating system can also be used to track ratings over time, either by specific area or on a broad scale by business line. Similar to loan risk ratings, an audit rating migration analysis can show directors and senior management where specific business lines or operating areas are improving or deteriorating over time.
Exception tracking (each meeting). Often during an audit, items requiring correction are identified. Audit management should include these issues in an exception tracking report that serves to keep the issue open until adequate remediation has occurred. For ease of use, it may be beneficial to have the tracking report color coded by the amount of time items remain outstanding. While there is no standard format, exception tracking reports should include:
Directional Consistency (continuous). Although it is more of a concept than a tangible report, directors and senior management should always be on the lookout to make certain that conclusions are aligned with the analysis performed. They should note the following: risk assessments should be reasonable and well supported, audit schedules should be supported by the risk assessments, audit ratings should take into consideration the severity of findings, and audit conclusions should be aligned properly with audit findings.
Sometimes, examiners will find "directionally inconsistent" patterns with no appropriate explanation. Some examples might include:
That's not to say there could not be explanations for inconsistencies, like the examples above, but it is critical that directors and senior management seek clarification when such situations arise.
Oversight of the internal audit function is a responsibility of the board of directors and senior management and cannot be delegated. Effective oversight helps to ensure that the internal audit function addresses the risks posed by the nature and complexity of current and planned activities. By following the interagency guidance and keeping tabs on several key administrative areas, directors and senior management can help ensure a strong internal audit foundation.
If you have any questions on issues related to internal audit or audit outsourcing arrangements, please contact your primary regulatory agency. For those institutions that are supervised by the Federal Reserve Bank of Philadelphia, please contact Manager Stephen J. Harter (firstname.lastname@example.org) at (215) 574-4385 or Supervising Examiner James W. Corkery (email@example.com) at (215) 574-6416.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.