Oversight of the internal audit function is a responsibility of the board of directors and senior management and cannot be delegated. Effective oversight helps to ensure that the internal audit function addresses the risks posed by the nature and complexity of current and planned activities. By following the interagency guidance and keeping tabs on several key administrative areas, directors and senior management can help ensure a strong internal audit foundation.
The internal audit function, whether internal or outsourced to a third party provider, can be considered as an expense, however, when the possibility of fraud prevention is included in the mix, most directors and management can appreciate the internal audit function.
The April 2003 regulatory agencies joint policy statement, the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, amended a 1997 statement, states:
"The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function."
Directors and senior management are urged to review practices to ensure effective oversight of their institution's internal audit function.
The amended policy statement was issued to bring supervisory policy in line with the provisions of the Sarbanes-Oxley Act of 2002, as well as pertinent regulations of the U.S. Securities and Exchange Commission (“SEC”), as a result, banking organizations subject to Section 36 of the Federal Deposit Insurance (“FDI”) Act-essentially those with $500 million or more in assets-are required to comply with the Sarbanes-Oxley Act prohibition on internal audit outsourcing to their external auditor.
The amended policy statement also indicates that institutions that are not subject to Section 36 of the FDI Act and are not SEC registrants are encouraged not to use their external auditor to perform internal audit services.
The policy statement is divided into four parts:
The internal audit function. The guidance recommends that institutions consider the placement of the audit function in the management structure to provide directors with confidence that internal audit can perform its duties with impartiality and will not be unduly influenced by managers of day-to-day operations. The guidance also includes management, staffing, and audit quality, scope of testing and reviews, communication of audit issues, and contingency planning.
Internal outsourcing arrangements. Discusses practices for the use of third-party outsourcing arrangements. This section provides examples of outsourcing arrangements and then details additional considerations for outsourcing arrangements, including: contracts with vendors, reviewing vendor competence, management oversight, communication of findings, and contingency planning.
Independence of the independent public accountant. Describes the effect outsourcing arrangements have on the independence of an external auditor who also provides internal audit services to an institution and outline the applicability of the SEC's auditor independence requirements to public companies, insured depository institutions subject to Section 36 of the FDI Act, and non-public institutions that are not subject to Section 36.
Examination guidance. Addresses examiners’ assessment of the quality and scope of an institution's internal audit function, internal or outsourced, to determine compliance. In addition, examiners will generally review audit reports and workpapers on a sample basis to attain a comfort level with the audit function. If the institution is deemed to have a strong audit function and examiners are comfortable relying on the audit coverage in place, it will likely result in a reduced need for examiner transaction testing, which may result in less on-site examination time.
While audit reports are important, directors also need to focus on the administration of the audit function to ensure it remains reliable.
Areas that provide a foundation for any internal audit function are as follows:
Audit risk assessment (annual). Audit risk assessments should be performed by the audit manager at least annually. The assessment, which encompasses all areas of the organization (also known as an audit universe), serves to focus audit efforts and staffing resources more often on higher-risk areas than lower-risk areas. By establishing an audit frequency, the auditor is able to derive an audit schedule and estimate audit resource requirements.
Risk assessments at a minimum should take into account the internal control environment, prior audit ratings/findings, and changes that have occurred in personnel, controls, or business lines.
Audit schedule. The schedule should be reviewed in the beginning of the year, in conjunction with the audit risk assessment, and again at mid-year, to determine how well the audit schedule is progressing.
Audit ratings and trend analysis. Audit ratings, like loan risk ratings, serve to alert audit committee members to the severity of an audit report. An audit rating system (i.e., Satisfactory, Fair, Needs Improvement, Unsatisfactory) will provide a consistent method for communicating the risk posed by the area audited. The rating system should include descriptions for each rating category, and uniformly applied to all audit reports. The rating system should be presented to and approved by the board of directors or its audit committee.
The audit rating system should also track ratings over time, as it can point to specific business lines or operating areas showing improvement or deterioration.
Tracking of Findings. Audit management should include the issues in a tracking report keeps the issue open until correction has occurred. Tracking reports should include:
Consistent Analysis. The analysis should note that risk assessments should be reasonable and well supported, audit schedules should be supported by the risk assessments, audit ratings should take into consideration the severity of findings, and audit conclusions should be aligned properly with audit findings.In summary, following the interagency guidance and keeping tabs on several key administrative areas, directors and senior management can help ensure a strong internal audit foundation.
Philip Gonzalez, Director, has over 40 years of experience in the financial services industry, holding a wide variety of executive and senior management experience at community banks and financial institutions.