The JPMorgan Chase & Co.’s London Whale scandal illustrated how a small player inside an institution could wreak serious havoc when proper internal controls are not in place. Essentially, one trader managed to cause a $6 billion loss without anyone inside the bank stopping it. Following the financial crisis and scandals at places such as JPMorgan, regulators have emphasized the role of internal audit, especially as it relates to risk management. With the spotlight on internal audit, Bank Director magazine sought help from two veteran audit committee members, Ingrid Stafford at the $17-billion asset Wintrust Financial Corp. near Chicago, and Tom Kennedy of the $8.3-billion asset National Penn Bancshares in Boyertown, Pennsylvania, to compile a list of questions for bank boards to review regarding the responsibilities and changing role of internal audit.
What are the basic functions of internal audit and the responsibilities of the board?
Internal audit should provide an independent, objective consulting perspective to improve an organization’s operation, according to Kennedy. The primary purpose is to evaluate the institution’s internal control system, risk management and governance practices; ensure the integrity of the organization’s financials; and make sure management’s policies are followed. The role of the board is to provide independence from management to make sure internal audit is functioning properly, says Stafford.
Is the staffing appropriate and does internal audit have the expertise and experience it needs?
The audit committee should approve the internal control department’s budget and staffing levels. Audit committees review and sign off on the audit plan for the upcoming year. They also make sure the bank’s priorities and highest levels of risk are also the priorities in the audit schedule. The audit committee reviews audits and is responsible for holding management accountable for fixing any problems discovered by internal audit. Some small banks use outside consultants to audit various functions of the bank, such as information technology. The audit committee shares a responsibility with management to select, oversee and assess the qualifications and procedures of any outside vendors used by the audit department. Kennedy says his bank’s internal audit department also audits itself. Outside consultants and external auditors can be good sources of suggestions for improvement.
Are critical issues being addressed?
Depending on the size of the bank, audit committees review full audit reports throughout the year, or summaries of such reports if the full audit reports are too lengthy for the board to read, Stafford said. The internal audit function will rate, or grade, the functioning of each department. Critical issues that have been identified need to be addressed and the audit committee should follow up to get reports on whether the issues have been fixed in a timely manner. In some cases, the committee will have to wait for the next audit to find out if the issue has been fixed.
Are the expectations of regulators changing when it comes to internal audit?
The Board of Governors of the Federal Reserve System came out in January with amended guidance on internal audit that applies to supervised institutions with more than $10 billion in assets. Although the guidance doesn’t apply to non-supervised institutions or smaller banks, it could become a best practice for all institutions. The guidance clarifies the audit committee’s oversight role for outsourcing of internal audit functions and says audit committees and the committee chairman should engage in regular communication with the chief audit executive outside of regularly scheduled meetings. It also says internal audit should perform “knowledge gap assessments” at least annually to evaluate whether current staff has the knowledge and skills needed and that auditors generally receive a minimum of 40 hours of training per year. Stafford says that as a general rule, regulators want clear independence for internal audit. Many banks handle independence by having the internal audit chief report directly to the audit committee chairman except for administrative purposes, like determining salaries or vacation. The guidance from the Federal Reserve says that if the bank has the chief audit executive report to management for administrative purposes, that direct report should be the chief executive officer. If not, the bank should document its reasons for having the audit executive report to a different member of management.
What is the appropriate role for internal audit in enterprise risk management?
As regulators increasingly expect banks to focus on enterprise-wide risk assessment, the workload of many audit committees has increased. The Federal Reserve’s guidance says that internal audit should be involved in assessing the effectiveness of risk management, both from an individual risk perspective (i.e. credit risk) and at the institutional level. Kennedy says National Penn has a separate enterprise risk management committee that sets the bank’s risk appetite and focuses on enterprise-wide risk. As audit chairman, he also serves on the risk committee. The split between the audit and risk committees has cut down on the enormous workflow of the audit committee.