Critical Oversight: Assessing Internal and External Audit

Two of the most important duties a financial institution’s audit committee must perform involve overseeing the bank’s internal audit operations and supervising its external auditors. The internal and external audit functions are fundamentally different, yet there are important similarities in the skills and attributes necessary to perform them successfully, and in the methods, processes and disciplines the audit committee must apply to meet its oversight responsibilities.

Different Functions, Shared Attributes

Despite their similar nomenclature, external and internal audits differ in several important ways including:

• Mission: External auditors examine and verify financial statements and reports, certifying their accuracy to shareholders and regulators. Internal auditors evaluate financial and operational controls, processes and risks, and report their findings to management and the audit committee.
• Scope: External auditors focus exclusively on financial records and statements. Internal auditors have a broader mandate that encompasses other business practices and risks.
• Reporting lines: External auditors must be independent, supervised by the audit committee and reporting to shareholders through the board. Internal auditors are also supervised by the audit committee, but their reporting lines are more complex. The bank’s internal audit employees must be under the supervision of an independent person within the organization, with only dotted line reporting to management. Internal audit is also prohibited from making management decisions. When internal audit services are outsourced to independent audit firms, regulators make it very clear that management still retains ownership, responsibility and accountability for those services.
• Timing: The external audit is an annual event, coinciding with issuance of the annual report. Internal audit is a continuous function that typically follows a multiyear audit plan that outlines coming areas of focus.

Despite the differences, internal and external auditors are expected to possess certain common skills or attributes. To be effective, auditors must be:

• Attentive to detail.
• Adept at evaluating the design and operating effectiveness of controls.
• Able to recognize and prioritize issues based on significance and level of risk.
• Skilled at communicating complex issues to a nontechnical audience.

Evaluating External Auditors

The process for evaluating a bank’s external auditors typically is detailed in the audit committee’s charter. The evaluation is performed annually as part of the auditor’s reengagement. While the frequency of evaluation is not flexible, the evaluation criteria can be slightly more open to interpretation. General areas of focus include:

• Quality of the audit firm’s work. In addition to the committee’s own experience, it should also review the auditors’ Public Company Accounting Oversight Board inspection results and peer review reports.
• Independence, objectivity and professional skepticism of the auditor.
• Effectiveness of the audit firm’s quality control procedures.
• Quality of the engagement team including team members’ knowledge, skills and experience.
• Quality and timeliness of communication and deliverables.
• Any feedback from management regarding the audit experience.

Evaluating Internal Audit

Because the leader of internal audit is a bank employee, the audit committee typically performs this evaluation as part of an annual salary or performance review. The review should address areas of focus comparable to those listed for the external auditor review, including quality of work; independence, objectivity, professional skepticism, quality control procedures, and the knowledge, skills and experience of the internal audit team. Additionally, the audit committee should evaluate:

• Adequacy of the resources available to internal audit.
• Quality and qualifications of the independent firms providing outsourced internal audit services.
• Sufficiency of audit coverage and the long-term audit plan.
• Timely completion of the annual schedule.
• Quality of the broader risk assessment process.
• Any feedback from management, especially the chief executive officer or chief financial officer, who oversees day-to-day internal audit activities.

Additional Evaluation Resources for Audit Committees

The Securities and Exchange Commission and federal banking regulatory agencies have published extensive guidance regarding the evaluation processes for external and internal auditors, including the agencies’ “Interagency Policy Statement on the Internal Audit Function and its Outsourcing.”

Audit committees also can obtain helpful guidance from professional standards organizations such as the Center for Audit Quality’s “External Auditor Assessment Tool” and the Institute of Internal Auditors’ practice guide “Measuring Internal Audit Effectiveness and Efficiency.”

While the audit committee bears direct responsibility for overseeing both external and internal audit functions, other board members and the bank’s executive team also have important roles to play. By supporting the audit committee’s efforts, allocating sufficient resources, providing constructive feedback and instilling sound corporate governance practices, they can help ensure that the organization meets its obligations to shareholders, customers and the broader community of stakeholders.