A series of publicly disclosed accounting, risk management, and internal control problems at financial institutions has made federal bank regulators increasingly critical of bank internal audit functions.
That criticism along with the Sarbanes-Oxley Act, updated bank regulatory guidelines, new SEC rules, and stock exchange corporate governance requirements have put more pressure on financial companies and their directors to ensure the objectivity and effectiveness of internal audit functions.
This year the Federal Financial Institutions Examination Council, the umbrella organization for federal bank regulators, issued a revised interagency policy statement on "The Internal Audit Function and Its Outsourcing." The title has created some confusion, as some institutions erroneously assumed that the guidance applied only to outsourced internal audit functions. Most of this policy statement applies to all internal audits.
This regulatory guidance underscores board responsibility for the oversight and functioning of internal audit. Boards should consider the FFIEC's guidance in four key areas: structure, management, scope, and communications.
Structure
Review reporting lines of internal audit to make sure that the function is appropriately independent and objective and not unduly influenced by management.
Ideally, the board should assign responsibility for the internal audit function to a member of senior management, the chief audit executive.
The CAE must be someone who has sufficient corporate standing, understands the function, and is not immediately responsible for operating the institution's system of internal control. The regulators' ideal reporting structure would have the CAE report functionally and administratively to the audit committee.
Some institutions might place the CAE under a dual reporting arrangement: reporting functionally to the audit committee on matters such as the overall audit scope and reporting of results but reporting administratively to a senior executive within the bank. This approach has the backing of the Institute of Internal Auditors.
In these instances the CAE's administrative supervisor should be a champion for internal auditing and controls and should not hinder the CAE's objectivity or effectiveness.
According to the FFIEC, "the objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the CEO."
Ensuring the effective operations of these reporting lines may be one of the audit committee's most important responsibilities. Accordingly, audit committees should establish objective, measurable criteria to oversee the objectivity of the function and monitor its effectiveness.
Institutions occasionally seek to coordinate internal audit activities with an institution's risk-monitoring functions (for example, loan review, market risk management, legal, or compliance) by establishing an administrative reporting arrangement under one senior executive. However, care must be taken to see that internal audit does not conduct control activities or diminish its independence with respect to audits of these functions.
Avoid consulting conflicts. Consulting activities performed by internal audit also may compromise the objectivity needed to monitor the institution's system of internal controls.
To maintain its independence, the internal audit function should not assume a business-line management role over control activities. It should never approve, design, or implement any operating policies or procedures.
As a general rule, leading-practice audit committees limit the consulting activities of a company's internal audit function to risk and control issues and establish standards for these activities that ensure independence is maintained and communications are complete.
Management
The internal audit function should be led by a competent CAE who provides the requisite leadership and oversight to the function. Hiring audit personnel who possess the skills and expertise to identify the inherent risks in an institution and who can assess the design and operating effectiveness of risk management and internal control mechanisms is perhaps the CAE's biggest task.
The CAE is also responsible for establishing the performance standards, policies and procedures for the function and monitoring staff performance to ensure the effectiveness of the function. And it should also lead innovation, which requires having a process for identifying and adapting to evolving audit practices - including automated audit technologies - to keep pace with emerging risks to the organization.
Scope
The audit committee should review and approve the risk assessment and resulting audit plan for internal audit at least once a year. This review should ensure that internal audit's assessment and plan:
- Reflect the complexity of the institution's business activities and the risk inherent in those businesses, and
- Include the timing and frequency of audit coverage and the resources required to execute the planned coverage.
The audit committee should also review internal audit's use of outside vendors and ensure that it receives appropriate updates of the status of internal audit work versus the plan. It should also expect internal audit to expand its audit work when significant issues arise or when significant changes occur in the institution's environment, structure, activities, risk exposures, or systems.
Communication
Federal Reserve Board Governor Susan Bies advises that the board and senior management "foster communication with the internal auditors so that they are aware of pertinent issues and the board is aware of all significant matters."
Elements of effective communications include timely and complete discussion of the number and criticality of the institution's risk and control issues, and management's plans to correct identified weaknesses.
Effective tracking and reporting on the resolution of these issues is critical, as the board and senior management should know whether they have been sufficiently resolved and when their immediate action is required. To strengthen objectivity and independence, the CAE should routinely (for example, at each meeting) have an opportunity to discuss his or her findings and recommendations with the audit committee without management being present.
In addition, audit committees should establish and maintain procedures for receiving, documenting, and resolving confidential and anonymous employee concerns about questionable accounting, internal accounting control, or auditing matters.
In closing, the internal audit function is a crucial component of an institution's corporate governance structure. Regulators and shareholders are looking to financial institutions' boards of directors to ensure that their internal audit function is providing an objective, comprehensive view of risk management practices, accounting, and internal controls, and that it has the ability to adapt to an increasingly complex industry.
We recommend that boards work closely with their CAEs to assess the structure, management, scope, and communications of their functions to see that the functions are aligned with stakeholders' needs, including meeting the increased expectations of the new FFIEC guidelines and Sarbanes-Oxley; performing consistently with industry leading practices; and in compliance with the Institute of Internal Auditors' standards.
