For bank Internal Audit, 2013 has been a year of continued significant change in focus and expectations. Bank regulators, professional organizations and committees, and other thought leaders have spent the year developing guidance that enhances organizations’ ability to reduce risk, strengthen internal controls, and improve compliance. Recent guidance and current trends reflect a strengthened focus on the expectations of internal audit, audit committees, management, and components of supervisory assessment.
What the regulators said in 2003
It has been ten years since banking regulatory agencies issued the comprehensive 2003 “Interagency Policy Statement on the Internal Audit Function and Its Outsourcing.”
This statement was issued in the aftermath of significant, highly publicized internal audit failures in the corporate world that led to the passage of the Sarbanes-Oxley Act (SOX) of 2002. The 2003 policy—which is still in effect today—reminds financial institutions of the important role effective internal controls play in a safe and sound operation.
The statement also highlights other significant responsibilities of a bank’s board and senior management. These responsibilities include making sure the system of internal control operates effectively; emphasizing ownership of internal controls, a responsibility that cannot be delegated to others; and identifying the internal audit function as a critical element in the process of assessing internal control effectiveness.
In the 2003 policy statement, the agencies raise concerns about the scope and management of some internal audit outsourcing arrangements. They can negatively affect an institution’s safety and soundness if not structured properly. When properly structured, carefully conducted, and prudently managed, outsourcing can be beneficial to an institution.
However, the agencies wanted to make sure that these vendor arrangements do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.
The 2003 policy statement also prohibits public companies from outsourcing internal audit to the company’s external auditor and discusses the effect of this prohibition on insured depository institutions subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act, as well as the agencies’ views on compliance with SOX for institutions not subject to Section 36 of the Federal Deposit Insurance Act (including smaller depository institutions). Finally, the statement provides guidance to examiners on conducting assessments of bank internal audit functions and related matters.
Fast-forward to 2013
A decade can be an eternity, especially under today’s conditions.
In January 2013, the Board of Governors of the Federal Reserve System issued a “Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing” to provide institutions with additional information related to the interagency guidance issued in 2003.
Building upon that guidance, the Fed’s supplemental statement addresses the characteristics, governance, and operational effectiveness of institutions’ internal audit function.
While the guidance is directed to state member banks and bank holding companies with more than $10 billion in assets, all banks could benefit from reviewing the guidance to gain regulatory perspective on an effective internal audit function.
Evolving expectations and examination procedures
Following the recent financial crisis and the subsequent supervisory and internal audit changes, Fed staff identified areas for improving regulated institutions’ internal audit functions:
• Challenge management and policy.
• Challenge management to adopt appropriate policies and procedures as well as effective controls.
• Challenge the effectiveness of policies that are outdated, ineffective, or not up to current industry or regulatory standards.
• Establish and evaluate risk tolerance.
• Understand risks the institution faces, and confirm that the board of directors and senior management are actively involved in setting and monitoring compliance within the institution’s risk tolerance limits.
• Evaluate the reasonableness of established limits, and perform sufficient testing to make sure that management is operating within these limits and other restrictions.
• Determine governance and strategic objectives.
• Evaluate governance at all management levels within the institution and within all significant business lines.
• Evaluate the adequacy and effectiveness of controls to respond to risks within the organization’s governance, operations, and information systems. Communicate any concerns to the board of directors and senior management.
Guidance from the professionals
The Fed guidance encourages internal auditors to adhere to professional standards, such as guidance from the Institute of Internal Auditors (IIA). The IIA guidance provides practices intended to increase the safety and soundness of institutions, including:
• Professional competence/staffing
• Internal audit charter
• Outlines objectives and scope of the internal audit function
• Specifies the internal audit function’s management reporting position within the organization, as well as its authority and responsibilities
• Outlines the responsibilities and accountability of the chief audit executive
• Includes the internal audit function’s responsibility to evaluate the effectiveness of the institution’s risk management, internal controls, and governance processes
• Corporate governance
• Specifies board and audit committee responsibilities
• Spells out that the audit committee and its chairperson should have ongoing, as-needed interaction with the chief audit executive separate from formally scheduled meetings to remain current on any internal audit department, organizational, or industry concerns. This should include executive sessions between members of the audit committee and chief audit executive without members of senior management present.
IIA and Fed guidance work well together
In addition to these recommendations, IIA has issued several position papers that are well aligned to the guidance from the Fed.
In particular, “The Three Lines of Defense in Effective Risk Management and Control” very effectively aligns with the concepts in the Fed guidance. The Three Lines of Defense model described by the IIA focuses on organizing diverse teams to work together to help manage risk. Banking organizations typically have compliance departments, fraud detection functions, internal auditors, SOX managers, controllers, and other risk and control professionals—all with intertwining duties related to risk management and internal control.
Often these specialties each have a unique perspective and skill set, but their duties are increasingly divided across varied operations, functions, and departments. The Three Lines of Defense model seeks to bring these diverse groups together to coordinate, close gaps, reduce duplication of coverage, and establish boundaries of responsibility to improve effectiveness of the organization’s overall risk and control structure.
The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management:
1. Functions that own and manage risks, including those that:
• Maintain effective internal controls and procedures on a day-to-day basis
• Identify, assess, control, and mitigate risks by guiding the development and implementation of internal policies and procedures
• Make sure activities are consistent with risk and control goals and objectives
• Provide adequate managerial and supervisory control to achieve compliance
• Implement corrective actions to address process and control deficiencies
2. Functions that oversee risks, including those that:
• Help build and monitor the first line of defense controls, such as risk management and compliance functions
• Are typical banking roles, such as:
• Risk management
• Security or fraud detection
• Controller function, which could include SOX activities
• Loan review
• Make sure the first line of defense is properly designed, in place, and operating as intended
• Establish some degree of independence from the first line but are management functions
• Support management policies and implementation
• Provide risk management frameworks and guidance and training on associated processes
• Are instrumental in identifying known and emerging issues
• Facilitate and monitor risk management practices for alignment with risk management policies and established risk appetite
3. Functions that provide independent assurance, including those that:
• Provide comprehensive assurance to the board and senior management based on a position of independence and objectivity
• Focus on effectiveness of governance, risk management, and internal controls, including the activities of the first and second lines of defense and their effectiveness
• Include a broad range of objectives, including efficiency and effectiveness of operations, safeguarding of assets, integrity of financial reporting processes, compliance with laws and regulations, and compliance with policies and procedures
• Include all elements of the risk management and internal control framework
• Report to a sufficiently high level in the organization to maintain independence
• Have an active and effective reporting line to the audit committee
Bank regulators are reviewing and evaluating the industry’s internal audit functions through more critical lenses in the wake of the recent economic crisis and wave of bank failures.
Forward-thinking audit committees and senior management personnel should familiarize themselves with the various pieces of guidance issued in 2013 and give strong consideration to the elements of governance, structure, and operational effectiveness of risk- and control-focused activities, and particularly internal audit.
These new expectations and responsibilities for addressing risk can contribute to strategic success if embraced and supported through retooled risk and audit strategies.
About the authors
Michele Sullivan is a partner with Risk Consulting at Crowe Horwath LLP in the internal audit services group. [email protected]
Dennis Hild is a director with Crowe in the Washington, D.C., office. [email protected]