The U.S. Federal Reserve Sends a Strong Signal on the Value of Internal Auditing

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


Every now and then, regulatory bodies around the world issue guidance documents that make a profound statement about internal auditing. Last week, the U.S. Federal Reserve issued some new guidance that clearly falls into that category.

The 15-page document, titled Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, technically applies only to U.S. banks with assets of US $10 billion or more. However, from my perspective, the Fed has made a powerful statement on the importance of a strong and effective internal audit function in financial services institutions in the “post financial crisis” era.

With this statement, the Federal Reserve also comes closer than virtually any other regulator in the industry to endorsing or mandating The IIA’s International Standards for the Professional Practice of Internal Auditing. In fact, the document’s opening paragraph asserts:

“The Federal Reserve is providing this supplemental guidance to enhance regulated institutions’ internal audit practices and to encourage them to adopt professional standards and other authoritative guidance, including those issued by The Institute of Internal Auditors.”

The guidance, which addresses the characteristics, governance, and operational effectiveness of an organization’s internal audit function, includes the following key provisions:

  • If the chief audit executive (CAE) reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE.
  • Internal audit management should perform knowledge gap assessments at least annually to evaluate whether staff members have the knowledge and skills commensurate with the organization’s strategy and operations.
  • Internal auditors generally should receive a minimum of 40 hours of training annually.
  • The internal audit function should have a code of ethics that emphasizes the principles of objectivity, competence, confidentiality, and integrity, consistent with professional internal audit guidance such as The IIA’s Code of Ethics.
  • The internal audit charter should define criteria for when and how the internal audit function may outsource some of its work to external experts.
  • The audit committee and its chairperson should have ongoing interaction with the CAE separate from formally scheduled meetings to remain current on internal audit department, organizational, and industry concerns.
  • The audit committee should receive an opinion on the adequacy of risk management processes at least annually, including the effectiveness of management's self-assessment and remediation of identified issues.
  • Internal audit's risk-assessment methodology is an integral part of the evaluation of overall policies, procedures, and controls at the organization and the development of a plan to test those processes.
  • Internal audit’s risk-assessment methodology should address the role of continuous monitoring in determining and evaluating risk.
  • It’s common practice for organizations with defined audit cycles to follow a three- or four-year audit cycle; high-risk areas should be audited at least every 12 to 18 months.
  • Internal audit is encouraged to use formal continuous monitoring practices as part of the function's risk-assessment processes to support adjustments to the audit plan or universe as they occur.
  • A well-designed, comprehensive quality assurance program should ensure that internal audit activities conform to The IIA's professional standards and the organization’s internal audit policies and procedures. The program should include both internal and external quality assessments.
  • Each institution should conduct an internal quality assessment annually, and the CAE should report the results and status of internal assessments to senior management and the audit committee at least annually.
  • The audit committee and the CAE are responsible for the selection and retention of internal audit vendors and should be aware of factors that may impact vendors' competence and ability to deliver high-quality audit services.
  • When an organization relies significantly on the resources of an internal audit service provider, the organization should have contingency procedures for managing temporary or permanent disruptions in the service in order to ensure that the internal audit function can meet its intended objectives.

While not everyone may agree with the provisions of the Fed’s new policy guidance, I do view it as a very positive development. Feel free to share your thoughts.

Posted on Jan 28, 2013 by Richard Chambers

Share This Article:    

  1. This is indeed a welcome announcement coming on the heels what the OCC communicated in December 2012 American Banker article on their Flunking 19 Larger Banks on ERM and Internal Audit.  This is no small undertaking and has raised the bar for Internal Audit, the Audit Committee they directly report to and the CEO who the Fed recommends as the preferred adminstrative relationship. There are many requirements where Internal Audit has not particpated before. Corporate Goverancne, ERM program evaluation, Strategic Initatives, Risk Appetite and Tolerance.  We have reached out to Richard on this matter to help lead and we are helping financial institutions in this regard with readiness and remediation services.

  1. This is a powerful message and it may become a benchmark for other countries as well

  1. How is this different from BASEL's internal audit framework?

  1.  The Federal Reserve guidelines are good but I am afraid that they are not new, they are real guidelines which give guidence on how to apply the already set IIA standards.

    I would be more interested in involvement of the internal audit stakeholders in ensuring independence of internal auditors/CAE. This could be done by ensuring that Internal auditors are not full time emplyees of the organizations they audit, paid fees and not monthly salaries and allowances, separate budgets from main organization budgets. Why am I concerned with all these? This is because most of these salaries and alaalowances for audit committees are approved by CEOs. This is the weapon they normally use to collude with audit committee members. The CEO shouldn't have control on internal audit function in any way.

    Many would want to challenge and say that internal audit will be tge same as external audit if these changes are taken on board but the answer is no. The external audit focus is to give an opinion on the financial position of the organization by doing a review which is limited in scope and focus while internal audit is focused on a more broader scope covering all functions of the organization, risk management, review of internal control effectiveness regularly, ensuring improvements in operations by doing regular follow up of audit recommendations both internal and external.





  1. Excellent recognition by the Fed and in some ways a great challenge for all of us.  We often clamour for additional recognition for our profession, now it appears expectations are being raised by our stakeholders once again.  We need to continue down the path of understanding the risk faced by our organizations and sharpen our abilities to provide management and boards information and context so they can understand the risk they face and  assess the appropriateness of responses to that risk. 

  1. There is too much discussion about independence and reporting lines and not enough about the quality and impact an Internal Audit function can have in terms of assuring Risk Management. Both the CFO and the CEO are part of executive management and therefore equally influential in determining the future career of the Chief Internal Auditor.True Internal Audit independence can only be achieved by means of a strong Internal Audit mandate and Charter, which is visibly supported by the Board, Audit Committe and its Chairperson. Furthermore, the CAE needs to demonstrate and role model courage, balance and clear judgment. Additionally, the 'tone from the top' and overall respect for the Internal Audit function will determine the environment in which it can be fully independent. Lastly, if senior management has rotated through Internal Audit (which is the case in Shell for both the CEO and CFO), it creates a different culture, with clear commitment to Risk Management, Compliance and 'Management in Control'. It is rather naive to believe that independence can be arranged through a reporting line. I favour double reporting lines to either CFO/CEO in addition to a reporting line to the Chair of the Audit Committee or Chair of the Board. This will ensure that the CAE can be a trusted sparring partner for the Executive Directors and senior management, as well as independent observer providing insights to the independent Non-Executive Directors (assuming a 2-tier Board). Only with a dual reporting line the Internal Audit function can be fully independent AND impactful in terms of assuring and assisting the Risk Management of a company.

    I would welcome some further reflection on the subject, both by the IIA as well as the Fed. Armand Lumens, Chief Internal Auditor, Royal Dutch Shell

  1. How ironic that the Federal Reserve is setting these IA standards to mitigate risk, none of which address technology and the need for IT internal audits and in the news yesterday - their internal website was hacked by Anonymous

  1. A welcome step in the right direction.  The Fed correctly identified who internal audit reports to as the key element to independence and objectivity, which ultimately determines the credibility and usefulness of the profession.  I also agree with the comment on IT auditing, and the irony of the Fed website being hacked into.

  1. Richard, the Statement sets out some expectations of Internal Audit carrying out its own risk assessment to underpin its audit planning. Do you have a view about the efficacy of this approach compared to Internal Audit making use of the risk assessment process of the firm itself? I am not suggesting that Internal audit should not have a view of risk but if the objective is to provide assurance on how risk is managed wouldn't the default position be to use the firm's risk assessment process (and, hopefully, the risk appetite articulated by the Board and senior management) to identify where assurance is needed? This wouldn't preclude auditing the high-level risk management processes but it would be a different to what sometimes seems to be a "Red Team" approach where Internal Audit acts as a parallel risk department.

Leave a Reply