Auditing the Auditors
Scott D. White, CIA, CFSA, CRMA, CISA
M&M Consulting, LLC
Senior Manager, Financial Services
Ernst & Young LLP
Events of the past three-plus years have had an overwhelming impact on financial institutions and their regulation. The economic recession, mortgage lending problems, data security breaches, near meltdown of the financial system, and well-publicized frauds have shaken the industry to its core. These events have resulted in an increased volume of regulations and amplified the pressure on organizations and regulators to prevent their reoccurrence. Bank regulators have responded by conducting more intensive safety, soundness, and compliance examinations. On one hand, the heightened regulatory environment can present opportunities for internal auditors to positively affect their organizations like never before. On the other hand, pressure on internal auditors to do more with the same or fewer resources and the ever-increasing scrutiny of the internal audit function can lead to significant challenges.
Regulators are looking to leverage the work of internal audit as much as possible. However, it is critical that the internal audit department first meet the expectations of the regulators for this to happen. While the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB) may have slightly different terminology for their rating scales, each includes a component related to risk management, which contains an evaluation of the system of internal controls for an organization. The results of the review of the internal audit program have a significant impact on the overall annual rating of the institution.
The FDIC covers the evaluation of the system of internal controls in the management rating, while the FRB incorporates this in the risk management component of their risk management financial condition; potential negative impact of the parent company and nondepository subsidiaries on bank and thrift subsidiaries; depository institution RFI/C(D) rating system, which mirrors the primary regulator's assessment of the subsidiary depository institutions. Section 4.2 of the FDIC’s safety and soundness examination procedures, “Internal Routine and Controls,” describes the expectations for the internal audit function to provide the following elements within the internal audit program:
- Adequate monitoring of the institution’s internal control system.
- Independence and objectivity.
- Qualified personnel.
- Adequate testing and review of information systems.
- Adequate documentation of tests and findings of any corrective actions.
- Verification and review of management’s actions to address material weaknesses.
- Review by the audit committee or board of directors of the internal audit systems’ effectiveness.
These requirements are also consistent with the areas of review by the FRB and the OCC. The rating of the internal audit department has a significant impact on the overall rating of management within the organizations. Regulators have raised the bar for internal auditors and are more frequently criticizing management, audit committees, and internal audit departments for not meeting or exceeding their expectations. OCC Senior Deputy Comptroller Michael Brosnan stated, “because of the importance of large banks to our economy and the capital markets, we have learned that it is not sufficient to have a ‘satisfactory’ [internal audit] function. Today, the expectation is that all large banks need to build and maintain strong [internal audit] functions.”
To help internal audit meet the heightened expectations of the regulators, there are seven steps chief audit executives (CAEs) can undertake.
1. Hire qualified people who bring skills and experience that reflect the organization’s risk profile.
The internal audit department is only as good as the people it employs. Regulators are closely examining the qualifications and experience of those conducting internal audits and their backgrounds, particularly the background of the CAE. They are interested in whether the CAE and internal audit staff can provide credible challenge to business managers. The expertise of the staff is being matched to the organization’s risk profile, and gaps are being identified and questioned. Staff profiles should always be documented and kept current, including certifications and continuing education fulfillment. Finding qualified staff remains particularly challenging even with the current unemployment rate at more than 8 percent. CAEs need to stay in front of the staffing equation.
The CAE should have a staffing strategy that fits the organization’s risk profile, including permanent full-time employees and use of cosourced services for areas in which the internal staff may not have sufficient expertise. For example, model risk management and validation is an increasingly hot topic in financial institutions. Many internal audit groups do not have staff experienced in auditing model risk management and may need to fill this gap with outside help. Some other areas trending for upgrade of internal audit skills include: compensation management, enterprise risk management, technology, compliance functions and key regulations, capital management and adequacy, and impairment analysis and troubled debt restructures.
Both small and large internal audit departments face the challenge of being able to hire and retain individuals with the specialized skills required to effectively audit certain areas of the organization. The solution can take a variety of forms. Some internal audit departments will decide to hire individuals if there is enough work to keep them engaged throughout the year. Others cosource with service providers that specialize in financial services and have individuals that work with a multitude of other organizations in the areas of interest. Another option is to create a guest auditor program whereby individuals that have the appropriate skills from the business units join specific audit teams as subject matter advisers. This approach requires training on independence and a well thought out process to confirm that the guest auditor does not have any conflicts of interest. Ultimately, the CAE is still responsible for the work performed by consultants or guest auditors. Regulators are very interested in understanding the level of oversight and involvement the internal audit department has in the execution of audits using outside resources. It should be evident that the CAE has signed off on or reviewed the final report and that one of the internal audit direct reports has been involved in reviewing, at a minimum, the scope, test plan, preliminary and final audit issues, and the report rating.
Financial institutions that outsource their internal audit function or cosource a piece of it should be familiar with the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing issued by the OCC, FDIC, and FRB. The policy statement is comprehensive and discusses, among other issues:
- Management’s responsibility for internal controls.
- Placement of the internal audit function.
- Managing the audit function.
- Scope of the audit.
- Contingency planning.
- Examples and considerations in outsourcing arrangements.
- Vendor competence and due diligence.
- Examiner guidance.
Internal audit service providers that specialize in providing assistance to financial services organizations should be keenly aware of this policy statement and support the organization in making sure the internal audit arrangement meets the requirements.
2. Document the risk assessment and annual audit plan process and guidelines, evidence the rationale for risk ratings, and clearly align the plan with organizational business objectives and strategies.
For many years, examiners have expected the internal audit function to conduct an annual risk assessment and form an annual (and two- or three-year) audit plan. As internal auditors have been asked in recent years to do more, cycle times for audits have increased and risk rating definitions have changed. While the CAE may have justification for cycling low-risk audits every three or four years or not at all, examiners are questioning the audit cycle and critically evaluating the justification for areas rated as low, which in some cases are not audited according to the cycle. It is critical that the audit department have a formal guideline to execute the risk assessment and provide some level of consistency in the evaluation of risk. The key is to have a documented process that has the right mix of qualitative and quantitative measures to capitalize on auditor judgment and knowledge of the organization combined with some objective measures to help gauge potential impact (e.g., percentage of pretax income, value at risk (VaR), percentage of assets). Leading-class audit functions tend to independently incorporate the key risk measures used by the risk management function (when available) into their risk ranking criteria.
Internal audit must also be able to evidence how it is staying abreast of the changing risk profile of the organization and how that information is being considered in the ongoing refresh of the risk assessment and audit plan. This is another reason why it is critical that internal audit has a seat at the table when the organization’s strategic priorities are discussed. Internal audit should evidence attendance at business operational and strategic meetings and key steering or executive committee meetings, including any information gleaned from those meetings to either confirm that risk focus is appropriate or that there is a change in risk, which will drive a change in the audit plan. Internal audit’s evidence of this process is a key step supporting why certain areas of the organization will, or will not, be covered during the typical audit cycle. The CAE must be in a strong position to demonstrate how the internal audit plan and strategy aligns with the organization’s strategy and internal risk assessments. The CAE should also be discussing the department’s risk assessment and annual audit plan with the executive leadership team and the audit committee, including what is not being covered. The discussion and approval of the audit plan with the audit committee should be well documented.
3. Ensure the governance structure of the internal audit function in the organization is appropriate and will meet examiner expectations.
Internal audit’s reporting relationship must be independent. The expectation is that the CAE reports directly to the audit committee; and administrative reporting lines to the president or CEO are preferred to provide the CAE with the appropriate level of stature and independence within the organization. Auditors should be prepared to show how the current reporting structure allows the required level of stature and independence, especially if the reporting lines are different from regulatory expectations. Some examples of appropriate stature and independence may include: evidence that the CAE has unfettered access to the audit committee chair; the CAE has routine communications and meetings with the audit committee or chairperson, including in executive sessions without management present; and that management has not prevented the internal audit department from reviewing certain areas of the organization.
The audit function should also have a formal charter that describes the internal auditor’s position within the organization, her or his direct access to the audit committee, and the audit committee’s responsibilities for the evaluation of the internal audit function and the hiring or termination of the CAE. The internal audit charter should be reviewed, updated (if necessary) and approved by the audit committee annually.
4. Have a well-documented, issue-tracking and validation methodology for all audit and examination issues.
A robust issue-tracking methodology is essential for an effective internal audit function and an area of focus in examinations. Whether internal audit administers the methodology itself or participates in the overall corporate issue-tracking methodology, lack of an effective mechanism for tracking open issues subjects the organization to regulatory criticism. This is particularly true if issues have been raised in prior examination reports and not corrected.
An effective tracking methodology should define who is responsible for administering the methodology, what types of issues will be tracked (audit and examination issues only or other issues as well), how it will be determined when an issue is closed and by whom, what type of follow up is necessary, and who will review open issue reports and how often. The tracking report should also show a change in due dates so that it is evident when dates may be sliding and an issue is not being resolved. It is also important to define the validation procedures required to close an open issue. Requirements should mirror the risk rating of the issue. For example, closure of high-risk issues should require testing of an appropriate sample size covering a specific period, which will evidence the remediated controls are operating effectively. Inquiry and observation may be sufficient to close low-risk audit issues, with the requirement that a more robust review be included in the next audit of the area.
Internal audit should consider issues identified by regulators in their audits, including the status of remediation and to help gauge whether corrective action is proceeding as planned. Many internal auditors are challenged with finding a way to incorporate existing regulatory findings into their reports without being redundant. One suggestion is to attach an appendix to the audit report that outlines the examiner’s comments and provides an update on the status of corrective action for each issue. This is informative for the reader and avoids repeating issues in the body of the report that have already been identified through regulatory examinations.
Consulting engagements provide a great opportunity for internal audit to demonstrate value to the organization. However, auditors should be ready to define what is meant by a consulting engagement and to support why consulting engagements have not impacted their independence. As indicated in The IIA’s professional standards, when acting as consultants, internal auditors should ensure that the scope of the engagement is well understood by all involved and specifically outline the internal auditor’s role. Internal audit should not develop or implement controls. It is also good practice to inform the audit committee about any consulting-oriented engagements and have them formally approve them, so that transparency is maintained throughout the process. See Standard 1100: Independence and Objectivity and Practice Guide: Independence and Objectivity.
6. Have formal guidelines and definitions for audit issues and report ratings.
How the audit department prioritizes the audit results for management and the audit committee should be evidenced. Having report ratings defined and included in the appendix of all reports will help readers prioritize the reports and provide transparency on ratings for the auditees. Unfortunately, internal audit departments still spend a lot of time debating the audit rating with management, especially in an organization that is moving toward rated audit reports for the first time. This is especially true where the audit rating affects the auditee’s compensation.
Internal audit departments can help minimize the debate over the final audit rating by keeping senior management abreast of the status of audits, including any preliminary findings as they arise. This does not mean just having an opening conference, preliminary exit meeting at the end of fieldwork, and then a final meeting prior to issuing the report. Depending on the duration of the audit, the audit lead may want to have weekly touch points with the business unit leader while the audit manager meets with the audit liaison from the business unit daily to discuss open items and progress. If communication is of the right frequency and content, the auditee should not be surprised by the audit report rating. Inadequate communication of audit progress is a common remark made by auditees regarding internal audit. Audit teams should communicate progress and preliminary audit results early and often so the client has time to assimilate the information and react, including implementing any corrective action that can be credited in the audit report.
7. Be aware of recent trends and challenges in risks and controls faced by peers.
Attending industry roundtables and networking events are great ways to stay abreast of the challenges peers are facing, as well as emerging areas of focus. Recent areas of internal audit focus across financial services organizations include:
IA process related considerations
- Risk assessments – the risk assessment guidelines and results should be documented, with evidence supporting routine refresh of the risk assessment results, typically quarterly, throughout the year. There also should be an explanation of how IT and critical business applications were considered in the risk assessment.
- Horizontal audits – audit departments should be performing horizontal audits (audits of one topic across the organization. Common examples include privacy, anti-money laundering, IT change management, end-user devices, and business continuity planning.
- Validation of the completeness of the audit universe – internal audit functions should be able to evidence the completeness of the audit universe. Common forms of evidence include a combination of reconciliations to the functional organizational chart, general ledger, significant legal entity listing, and department code and expense listing.
- Coordination with other risk and control functions – internal audit should be able to evidence effective coordination with other risk and control functions, such as compliance, risk management, U.S. Sarbanes-Oxley Act of 2002 teams, model validation groups, and other internal quality control groups. There should be routine touch points between the groups covering control trends by topic or business, management area or group, and timing of audits and reviews.
Considerations for audit coverage
- Vendor management – vendor risk assessments and processes should be in place to ensure management is taking responsibility for evaluating and managing vendors.
- Review of vendors with access to non-public personal information – a higher level of vendor due diligence is expected if the vendor has access to customer information.
- Regulation W and Sections 23 A and B of the Federal Reserve Act – organizations should have written policies governing the relationships between holding companies and subsidiaries and processes in place to confirm activities are appropriate and consistent with the agreements.
- Tracking regulatory developments – organizations should have processes and procedures, including automated techniques, in place to track regulatory developments.
- Automated Clearing House (ACH) policy – banks should have a board-approved ACH policy in place that is monitored for compliance.
- Living wills – compliance with Dodd-Frank provisions for developing living wills that provide guidance on unwinding the largest banks.
An effective internal audit function serves as a cornerstone of an institution’s governance framework and system of internal controls by providing independent and objective evaluation of risk management, control, and governance throughout the organization. Examiner ratings for risk management explicitly consider internal controls, which include the effectiveness of the internal audit function. As a result, an unsatisfactory rating for the internal audit function can have a significant impact on the overall rating for risk management within an organization.
CAEs can incorporate these seven steps into a broader assessment of their internal audit function to help prepare for a regulatory review and provide the greatest value to their organization. Being proactive and transparent and maintaining open lines of communication can help develop a solid relationship with the regulators, which may prove invaluable to an organization.
To comment on this article, email the FSA Times editor, Shannon Steffee, at email@example.com.