The internal audit department within a bank is uniquely qualified to monitor the institution’s compliance with the board’s objectives and test the effectiveness of internal controls. Accordingly, a high-performance audit function can help the bank and board achieve its risk-adjusted goals, while an underperforming audit function can undermine the confidence of both regulators and external auditors, resulting in greater scrutiny and the potential for higher external audit fees. As banks recalibrate their risk appetites, the future capabilities and past contributions of internal audit should be reviewed.
The role of internal audit
The internal audit department has a bankwide perspective of the risk “pie” including: financial, operational, information technology, and compliance risks (i.e., core risk disciplines). Other risk-related departments within the bank, such as legal, compliance, loan review, and security are more narrowly focused. An effective internal audit department will have strong informal alliances with these risk partners yet still have the ability to audit them objectively and independently.
Internal audit departments also can be involved in the bank’s enterprise risk management (ERM) process; however, the internal audit department is not permitted to own the process. According to the Institute of Internal Auditors (IIA), permissible ERM activities include:
- facilitating the identification and evaluation of risk,
- coaching management in responding to risks,
- coordinating ERM-related activities,
- consolidating the reporting on risks,
- maintaining and developing the ERM framework,
- championing the establishment of ERM, and
- developing risk management strategy for board approval. Essentially, these are legitimate consulting activities that internal audit departments may perform.
Impermissible actives include:
- setting the risk appetite,
- imposing risk management processes,
- providing management assurance on risks,
- making decisions on risk responses,
- implementing risk responses on management’s behalf, and
- having accountability for risk management.
From a practical standpoint, a useful approach is for the internal audit department to perform a detailed “bottom-up” risk assessment. Another bank risk department or nonaudit officer should sponsor a “top-down” risk assessment by facilitating discussions at the board and executive levels. The results of the two approaches are then compared to assess similarities and differences in risk rankings. The chief audit executive (CAE) should then present the logic for including or excluding the higher-risk areas from each risk assessment in the annual audit plan. As described, the ERM and internal audit department risk assessments are separate but complementary, and both are components of the annual audit plan.
How well does your internal audit department work?
Evaluating the current and potential capabilities of the internal audit department starts with an understanding of the CAE’s background. Many CAEs come from a public accounting background and thus are CPAs. Such a CAE will likely emphasize financial risk and follow processes learned in public accounting that tend to focus on financial statement risk and the production of a formal audit “work paper,” which limits exposing the CPA firm and its partners to litigation risk. Such a background and approach is arguably good for a bank internal audit department, but alone it is not sufficient. If the internal audit department is staffed exclusively with financial auditors from public accounting, then compliance, IT, or operational risks may be neglected.
Ideally, the CAE and each staff member will be competent in two or more of the four core risk disciplines as well as have financial institution audit experience. Having well-rounded bank operations’ experience is also a valuable qualification.
Having a diverse and highly qualified staff is also essential to meet expectations. The bank should determine if the CAE has sufficient authority to hire, promote, and retain the audit staff members who, ideally, will have certifications relevant to the job (e.g., CFSA, CPA, CIA, CFE, CISA). If the CAE encourages and financially supports the staff becoming certified, audit skills can be upgraded as the staff meets continuing education requirements. Audit certifications are a cost-effective use of the internal audit department’s limited training budget.
The board should also assess whether the bank has a formal or informal rotation program to promote internal auditors into other roles. A strong internal audit department will have both career internal auditors and those who have ambitions to be promoted elsewhere within the bank. Absence of movement from the internal audit department is a possible concern. The board may want to consider requesting presentations from the senior staff members in its audit committee meetings, or inviting them to executive sessions where they can be asked in confidence about the CAE’s management of the internal audit department.
The CAE must have sufficient stature within the bank to provide the level of assurance expected by the board and to add value to the organization. Stature is partially a matter of title/rank, budget autonomy, access to the audit committee and board, including presence at board meetings, and full participation with the regulator (i.e., entrance and exit meetings). Be alert to the possibility that the internal audit department lacks sufficient authority and resources to meet the board’s expectations in this regard.
Relationship with the board’s audit committee
The CAE can be most effective when he or she is well supported by the audit committee. It is not uncommon for a CEO or CFO to draft the CAE’s annual performance review and make compensation recommendations, which are then presented to the audit committee for approval. Yet such an approach is often transparent to the CAE and tends to raise questions about the CAE’s true independence. A better approach is for the committee to assume direct oversight of the CAE’s performance review process. Moreover, if grooming a successor is one of the CAE’s objectives, the board can assist the CAE in identifying a career path.
The chair of the audit committee and the CAE both benefit from a close working relationship that includes frequent, formal and informal communication via telephone, e-mail, and in person. Periodic offsite meetings are a good way for both the audit chair and the CAE to develop familiarity and for the chair to gain better insights into the CAE’s perspective. Conversely, the CAE will better understand the chair and board’s priorities and learn more about the bank’s current challenges and strategy. This information will bolster the quality of the CAE’s risk assessments and enhance overall audit management.
Planning executive sessions that follow regularly scheduled committee meetings are another opportunity for audit committee members to gain clarity and deeper insights into audit issues. These meetings also allow the CAE to highlight areas of concern. Allowing for direct and open-ended questions from the members help facilitate productive discussions.
Tracking progress with the audit plan
The CAE’s ability to consistently deliver the audit plan is a key performance metric. The audit committee can track the number of audits performed year-to-year, the composition of the audits (e.g., percentage financial, operational, IT, compliance, etc.), and the percent of new audits. They should also note whether audits with high-risk findings and/or unsatisfactory conclusions are scheduled for follow-up. Do the same auditors perform the same audits year after year? If so, periodic rotation of auditors may yield new and better results as “fresh eyes” inevitably bring a different perspective. Finally, the committee should determine whether low-risk audits are deferred indefinitely or scheduled every three to five years.
Internal auditors are permitted and encouraged by the IIA to perform limited consulting work. This can be beneficial to both the bank and the internal audit department as staff members are encouraged to develop their skills, enhance relationships, and bring more value to the bank with a different form of deliverable.
Typically, the internal audit department’s consulting report will include detailed narratives, background information, and recommendations, but they will not necessarily require management responses or include the risk ratings found in conventional audit reports.
The audit committee should be attuned to an excessive use of outsourcing. Dollars spent on training and equipping internal auditors are very cost-effective in relation to higher staff augmentation/consulting at rates of $50 to $500 per hour. For example, acquiring software and training auditors to perform data analysis or IT security reviews can have a one-year payback when compared with the cost of outsourcing repetitive engagements. An added benefit is that auditors learn new skills, are more challenged and engaged, and turnover is reduced. Conversely, a complete absence of outsourced or cosourced audits may indicate an insufficient budget or reluctance to cover audit areas where internal skills are limited.
Another metric for discussion with the CAE is average cost per audit report, which is the total annual cost of the internal audit department divided by the number of audit reports delivered. Ideally, the internal audit department should also be identifying cost savings, revenue enhancements, and process improvement opportunities. One example of such process improvement is performing work for the external auditor. It is often possible to negotiate lower external audit fees when the internal audit department commits to perform some of the annual financial statement audit work.
The importance of communications and feedback
Internal audit departments should send audit committee members reports containing concise conclusions, clear identification of the risks and their implications, thoughtful recommendations, and responsive management findings for their review. Committee members are uniquely positioned to be the arbiters of management responsiveness. If responses are contentious or not on point, this could indicate potential problems in the internal audit process, which may cause a regulator to lose confidence and increase scrutiny. Ask whether any senior executives review and edit management responses prior to submission to the CAE. Note also whether corrective action items are significantly past due.
Committee members must be mindful that audit reports are rarely privileged and are subject to discovery in a legal process, though such risk can be mitigated by marking reports confidential and limiting distribution. In extremely sensitive cases, internal or external auditors can be engaged by legal counsel, preferably external counsel, to work under privilege at the direction of counsel.
The audit committee and management are in the best position to judge the quality of the internal audit department. However, the IIA’s professional standards require that internal audit departments have an independent (i.e., external) quality assurance review not less than once every five years. This requirement is in addition to an ongoing quality assurance program under the direction of the CAE.
Effectiveness: the real return on investment
As the expectations and workload of the independent directors and audit committee members expand, increasing reliance can be placed on the CAE if the internal audit department function has sufficient resources and organizational stature. An effective CAE will respond to and be energized by engaged audit committee and board members who are supportive and inquisitive and who set challenging performance expectations.
The audit committee and the CAE have unique and complementary roles that benefit from close and frequent communication and collaboration, where a shared objective is to meet organizational goals within the board’s expressed risk appetite. Finally, a highly performing internal audit department will also inspire the confidence of the bank’s regulators, a fact that will be reflected generally in all examination results and specifically in the management component of the bank’s CAMELS rating.