Is Your Internal Audit Program Stuck in the 1990s?
Author: Bert Purdy
Remember in the 1990s when customers came into your branches, loan terms were sealed with a handshake and closing the year-end financial statements lasted until 1 a.m.?
A lot has changed in banking since the 1990s. Almost everything now is done electronically, data is stored and processed in the cloud and customers bank through mobile devices. All this change in the last 25 years begs the question: “Has your internal audit program changed?”
Regulatory agencies continue to update their expectations for bank risk management programs. It’s become such a point of emphasis that state member banks now receive formal risk management ratings in their examination reports.
While risk management has many components, a robust internal audit program is a foundational aspect of a solid risk management program. Through the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, the agencies even mandate an internal audit function.
While internal audit is mandated, its form can be diverse. You can insource, outsource or cosource your internal audit plan. You can spend a lot of time performing internal audit procedures for every activity in the bank, or you can focus on high-risk areas.
Regardless of your bank’s approach, an efficient and effective internal audit program today cannot be the same program used 25 years ago. Here are three examples of “old” methodologies and practices:
Reperformance – Internal audit is about identifying risks in controls. Reperforming an activity only addresses its accuracy. It will not identify a weakness in a control.
Many old internal audit programs still contain internal audit procedures such as, “Reconcile the loan trial balance to the general ledger.” Do you really want to pay an audit firm to reconcile your general ledger accounts? Often, the procedure represents reperforming work already performed.
The modern methods of performing internal audit procedures of reconciliations are multifaceted and include:
- Agreeing the general ledger and subsidiary ledger to source documents
- Determining whether the preparer and reviewer signed and dated the reconciliation
- Assessing independence of the preparer and reviewer as to the respective accounts
The most important step is assessing the independence of the personnel responsible. Reconciliation can be completed accurately by personnel who are not independent, but the risk of having personnel who can post transactions to the respective account is one of the most important things for management and board of directors to know. Why should internal auditors be so focused on segregation of duties? This is the primary method by which fraud is perpetrated.
Risk Assessment – Most bankers despise the phrase “risk assessment.” It’s understandable; bankers generally are required to perform a formal risk assessment prior to initiating any new activity, product or service. It’s also despised because bankers generally perform a risk assessment anyway as part of the decision to initiate any new activity, product or service, even if it informal. A risk assessment is a process; it’s not a document. Bankers always assess risks, though they don’t always document the process and results. This is what truly matters.
Your internal audit program should always be based on a comprehensive risk assessment. Without assessing the risks in the organization and allocating resources appropriately, you may end up auditing low-risk items more often than needed. Low-risk activities should be subject to internal audit, but not too frequently. An internal audit program should be risk-based. Higher-risk areas should be audited more frequently. Gone are the days of auditing everything every year.
Generalists – A major concern, especially with banks that have internal auditors on staff, is whether personnel have the ability to perform some of the more complex areas of the internal audit plan.
Information technology reviews, ACH audits, trust audits and regulatory compliance reviews require specific knowledge and training to perform an effective internal audit. It’s highly unlikely one individual—internal or third-party—will have the skills to audit all of these and the general operational areas of the bank.
These are just three of the antiquated internal audit practices still living in financial institutions today. Now is the time to look at your internal audit program or question your internal audit provider and make sure your internal audit program has progressed out of the 90s.
For more information on internal audit issues, contact your BKD advisor.