As financial institutions face increased regulatory scrutiny and mounting risks, a robust risk assessment process and internal audit function are essential to help protect the bank, its management and board. In order to address their responsibility for internal audit, bank management and the audit committee should be familiar with FIL-21-2003 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing.
In addition, The Board of Governors of the Federal Reserve System issued additional supplemental guidance in January 2013. For many community banks, unless you can clone your employees (and the clones are willing to work for free!), outsourcing, supplementing or co-sourcing the internal audit function is a cost-effective approach to risk management.
Outsourcing — In an outsourced arrangement, the third-party internal audit provider would review (or assist in the preparation of) the bank’s internal audit risk assessment through discussions with key bank management, the audit committee and, possibly, examiners. At a minimum, a thorough review of prior exam reports and other internal audit reports should be performed. Next, an internal audit plan would be developed based on the results of the risk assessment.
The third-party firm would then perform the testing for the specific audit areas noted in the plan based on the risk level (i.e., high, moderate or low) associated with that area.
This risk level takes into consideration the risk appetite, inherent risk, examiner scrutiny, and other types of information, such as changes in the bank environment due to acquisitions, changes in key personnel, and the size of the bank, to some extent.
Typically, high-risk areas are audited each year; moderate-risk areas — every two years; and low-risk areas — approximately every third year. Certain tasks, such as branch audits, may still be more cost-effective and efficient if performed by in-house staff independent of the branch function.
Supplementing and Co-sourcing are options for institutions that have an established internal audit function, but may need additional assistance. More technical areas, such as the allowance for loan and lease losses, derivatives, and information technology (IT) audits, as well as special projects such as network assessments and penetration testing, are often performed by the third-party internal audit provider. This economical option allows the bank to supplement staff and augment their expertise.
While it doesn’t create a mandate, FIL-21-2003 does encourage all financial institutions, regardless of size, to follow the Sarbanes-Oxley Act’s prohibition on using the same firm for external audit and internal audit outsourcing. However, if an institution decides to use the same firm for both internal and external audit work, the audit committee should document that it has approved both engagements and has considered the independence issues associated with this arrangement.
Take caution not to view internal audit services as simply a “cost.” These services, along with compliance and IT services, should be viewed as an “investment” in the health of your bank.
Are audit committee members really at risk themselves?
We like to explain the importance of a robust internal audit process to audit committees by taking them through a quick exercise.
First, consider why you need the internal audit work done. The obvious answer is: The regulators require it! Failure may result in regulatory action.
However, beyond the obvious answer, think about why your internal audit process, driven by a strong risk assessment, is important to you as members of the audit committee or board of directors.
What about reputation risk?
If the bank’s reputation is harmed, could that lead to the loss of key customers, loss of income and decreased dividends to shareholders? Yes!
Then what? Could that translate into harm to your personal reputation in your community and, consequently, result in harm to your personal business? Yes!
If your reputation is harmed, could you lose business customers and negatively impact your income? Sure. And what effect does that have on you and your family?
We could continue down that road… (spoiler alert) to where you lose your home and live in a van down by the river. A bit extreme, of course, but we like to have a little fun while driving home the importance of this all-too-often overlooked and undervalued function.
While regulatory compliance and fraud risks continue to top the list of concerns for internal auditors, cybersecurity and information security have quickly moved to the top of the risk list for almost every industry. The increasing frequency and sophistication of cyberattacks, along with rapidly changing technology, could leave bank executives and board members unsure about their responsibilities and risk.
Due to the increasing number of cybersecurity incidents and data breaches around the world, the FFIEC released guidance on cybersecurity. In June 2015, they released a new Cybersecurity Assessment Tool to help banks identify their risks and assess their cybersecurity preparedness.
And there is no doubt that there will be an increased focus on this area by examiners. Therefore, a sound internal audit function that includes adequate IT audit coverage is more critical than ever before.
The board of directors is ultimately responsible for the internal audit function and for ensuring that the institution’s system of internal controls operates effectively. They must be aware of and understand significant risks to the bank.
An effective audit program includes, but is not limited to, the following:
- written guidelines for conducting audits
- independence and impartiality
- sufficient audit expertise
- a risk-based audit plan
- the promotion of sound controls
- remediation of audit deficiencies
- reporting to the board on exceptions and the effectiveness of risk management practices
It is imperative that personnel performing audits have knowledge commensurate with the scope and sophistication of the institution’s environment and possess sufficient analytical skills to determine and report the root cause of deficiencies. If internal expertise is inadequate, the board should consider using qualified third-party resources to supplement or perform the institution’s internal and/or IT audit function.
Bank directors should not take lightly the impact of the internal audit function on the bank’s health and their own personal reputation.
Unless you’re entirely confident that your bank has sufficient internal resources to identify and mitigate risk, outsourcing or co-sourcing the internal audit function could help bank management and directors sleep better at night. Likewise, an effective internal and IT audit function may reduce the time examiners spend reviewing certain areas of the bank during examinations.