The role of the internal audit has been evolving from that of a compliance and fraud watchdog to that of a full-fledged partner in an institution’s overall risk management process. In light of this development, all community banks should review their internal audit (IA) programs to ensure that they’re meeting their risk management needs.
Why the change?
Many institutions recognize that internal audit, with its intimate knowledge of the organization and its operations, is uniquely positioned to identify and evaluate a bank’s risks and its risk management activities. Plus, banking regulators are placing greater emphasis on risk management and the critical part IA plays in the process. For example, in 2014, the Office of the Comptroller of the Currency published its Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations.
Community banks aren’t required to follow the guidelines. Nevertheless, they represent best practices for well-managed banks and are likely to shape examiners’ expectations. To enhance their risk management programs, community banks should consider incorporating the guidelines — adjusted as appropriate for their size and risk profile.
What do the guidelines require?
Covered banks must establish and implement a written risk governance framework that addresses credit, interest rate, liquidity, price, operational, compliance, strategic and reputational risk. They provide detailed guidance on the relative roles and responsibilities of a bank’s “front line” business units, independent risk management and IA.
The responsibilities of the IA function include:
- Ensuring that the framework complies with the guidelines and is tailored to the bank’s size, complexity and risk profile,
- Maintaining a current inventory of material processes, product lines, services, and functions, and assessing the risks associated with each,
- Implementing an audit plan — periodically reviewed and updated — that takes into account the bank’s risk profile and emerging risks and sets the frequency with which activities should be audited,
- Providing written reports to the audit committee on the conclusions, material issues, recommendations and other information revealed by its audit work,
- Implementing processes for independently assessing — at least annually — the design and ongoing effectiveness of the framework, and
- Informing the board or audit committee of significant deviations from the framework.
An internal audit also should establish a quality assurance program to ensure that its policies, procedures and processes: 1) comply with applicable regulatory and industry guidance, 2) are appropriate given its size, complexity and risk profile, 3) are updated to reflect changing risk factors, emerging risks, and improved audit practices, and 4) are consistently followed.
In-house or outsourced?
It’s important for banks to decide whether to run an IA program in-house or to outsource it to a public accounting firm or other professional organization. Some advantages of outsourcing: It gives a bank access to expertise or specialized audit tools that may be difficult or cost-prohibitive to maintain in-house. It also allows a bank to avoid the fixed labor and overhead costs associated with an in-house IA department and to easily adjust its “staff” as needs fluctuate. Plus, external consultants are often perceived as possessing greater independence, which may lend credibility to the internal auditors’ findings.
A disadvantage of outsourcing is that external consultants may lack the in-depth knowledge that in-house staff possess. One potential solution is to outsource IA to the bank’s external auditor (provided the bank isn’t subject to SEC rules). Even if permitted, however, the bank should weigh the potential benefits of using the same firm for both internal and external audit against the risk of deflating the external auditor’s independence.
For banks that opt for an outsourced solution, it’s critical to follow the federal banking agencies’ guidance on managing third-party risk.
Manage the risks of outsourcing
Over the last few years, most federal banking agencies have published guidance on managing outsourcing risks. The guidance requires banks to develop a formal plan for managing third-party relationships, conduct thorough due diligence on prospective providers, negotiate contracts that clearly spell out each party’s rights and responsibilities, monitor the relationship, and perform periodic independent reviews of the third-party risk management process.
Also, in 2013, the Federal Reserve issued its Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing. Although the statement doesn’t apply to community banks, it provides valuable guidance on managing outsourcing risks. It also emphasizes that the board and management remain responsible for IA, and requires a written agreement that clearly outlines the respective roles and responsibilities of the bank and the IA firm.
Banks should develop policies and procedures for selecting competent internal audit vendors and overseeing their work, have a contingency plan in the event of any disruptions in service, and ensure that a vendor’s work meets the quality standards expected of an in-house IA department.
Review your program
If you haven’t reviewed your internal audit program lately, you should make that assessment. The importance of risk management — and IA’s role in the process — will only continue to grow.
The goal of a risk management program is to identify and manage potential events that could affect an organization. Bankers are adept at risk…