Regulation | By Wesley Allen and Lori Charlebois
A bank’s internal audit function faces a myriad of evolving trends and regulatory scrutiny. Staying ahead of the curve is a challenge. Here are a few key trends to keep top of mind, as state and federal regulators display a renewed focus on rigorously evaluating the internal audit function.
Competency or experience – As an institution continues to grow, products and services become increasingly complex, requiring experienced personnel to complete the audits. Internal auditors need to ensure audit work-programs for highly technical audits (e.g., Bank Secrecy Act, information technology and trust operations) are robust and commensurate with the size and risk profile of the institution. Ensuring that internal audit personnel are credentialed or appropriately experienced in the audit areas is key to avoiding regulatory scrutiny over competency.
Risk assessment process – The risk assessment narrative should be business-line specific with an audit universe at a sufficiently granular level to ensure all legal entities and potential audit areas are identified, assessed and audited in a timely manner. The risk assessment should be tailored to an appropriately disaggregated level to allow risk identification at the appropriate level. The conclusion reached must be documented both quantitatively and qualitatively. Finally, the audit plan should align with audit area rotations and the hours allocated to each area.
Sampling – There is no right answer to the question: “What is an appropriate sample size?” Each audit is unique. However, regulator consternation tends to occur when the sample size does not appear to be representative of the population. With the Sarbanes-Oxley Act, internal audit’s focus has turned to auditing internal control over financial reporting (ICFR). Certain industry-accepted sample sizes have emerged for auditing ICFR that may not be appropriate when applied to a non-financial reporting audit. Pick a sampling methodology, properly document it and stick with it throughout the audit cycle. If a deviation from the mandated sample size is required, robust documentation should be included in the audit work papers to support that conclusion.
Tracking and remediation of audit exceptions – Exception tracking and reporting exceptions to the audit committee should include all findings, including findings identified by: regulators, management, third-party vendors, internal audit, external audit, systematic deficiencies identified through the loan review function, 401(k) auditors, compliance auditors or others. Also, bank regulatory agencies are focusing on the timeline for correcting audit issues and whether appropriate follow up actions occurred to validate closure of the issue. The process for validating management’s remediation efforts of deficiencies should occur in a timely manner. In many instances, validation of remediation of a significant finding will need to occur before the next regularly scheduled audit, which may not be for another 36 months.
Outsourcing – The administration and oversight of the internal audit function is a significant area of focus and review by the regulatory agencies, including banks that outsource certain internal audit tasks. Regulators have continually emphasized that audit committees cannot delegate responsibility of the internal audit to a vendor. Therefore, regulators will be evaluating how the bank oversees the outsourcing relationships.
In closing, one of the key trends in internal audit at financial institutions is the renewed regulatory focus on the internal audit function. Careful attention should be paid to ensure that the right amount of resources are invested in the internal audit function to make it as effective as possible. Addressing staffing competency, the risk assessment process, exception tracking, outsourcing and sample sizes may require additional investments in training or resources. The audit committee, management and the internal audit function must come together and collaboratively strike the right balance between addressing regulatory concerns and the ever present constraint of limited resources.■
Wesley Allen is a Director in DHG Financial Services. He can be reached at Wesley.firstname.lastname@example.org. Lori Charlebois, Partner, DHG Financial Services, can be reached at email@example.com.