In today’s ever-expanding risk environment, institutions need to be responsive in their internal audit program’s ongoing design.
As noted in interagency guidance, the board and senior management are responsible for ensuring the internal control system is effective. An important element in assessing its effectiveness is the internal audit function.
Consider these concepts when evaluating your program.
Establish a Policy
To assist in carrying out their responsibilities, the board or audit committee should establish an audit policy outlining the internal audit function’s framework. The policy should define an objective and incorporate such components as reporting requirements, independence considerations and establishing outsource relationships, to name a few. The policy should consider the institution’s size and complexity.
Use Your Risk Assessment
Institutions know the importance of risk assessments. Regulatory authorities have emphasized developing entitywide comprehensive assessments and maintaining assessments specific to key compliance and operational functions.
To develop an effective internal audit risk assessment, the institution’s risk profile and strategic plan need to be considered. Once addressed, the most important step is identifying risks within the audit universe. If you don’t identify a risk, then you can’t measure and manage it. To effectively do this, you need a thorough understanding of the business lines’ operations and activities, so solicit input from appropriate personnel during the process.
Measure all auditable areas for inherent and residual risk. It’s important to identify the controls being relied upon to determine residual risk as this is pertinent in the design of the testing procedures.
Determine an Appropriate Cycle
The frequency and depth of the audits should be commensurate with the institution’s risk level. Areas identified as high risk should be addressed at least annually; lower risk areas may be limited to a biennial or triennial audit cycle, or it may be appropriate to not test an area. It’s no longer proper to test every audit area each year, a common practice years ago. Today, the audit function requires risk-based audit planning. This approach can effectively use resources and provide a more meaningful effect to improve the institution.
The audit procedure’s design should align with the identified risks. As previously mentioned, determining which controls are relied upon in the residual risk assessment process drives the testing procedures. In addition, consider past results. Audit procedures that have resulted in previously reported findings should be included in the procedures’ design and may likely warrant larger sample sizes.
Approve the Plan & Have Capable Personnel to Execute
The internal audit plan, including risk assessment, should be presented and approved by the audit committee at least annually. It’s critical that those responsible for performing internal audit procedures possess the necessary skills and are independent from the business process. As a result, many institutions find it necessary to outsource some or all of the testing to third parties. It’s important to understand that outsourcing doesn’t absolve the board and senior management of its responsibilities for ensuring an effective internal control system.
Create Action Plans & Be Accountable
Internal audit testing should be accompanied by written reports that clearly communicate the scope and findings. It’s management’s responsibility to respond to these results by defining a correction action plan and a targeted remediation date. As it’s important for management to develop a correction action plan, it’s equally important to hold management accountable by designing audit procedures to test the execution of action plan items.
These are just a few concepts to consider when evaluating your internal audit program. An effective internal audit program achieves the audit policy’s objectives and is efficient. If appropriately administered, it also will identify opportunities for process improvements, promote a culture of compliance, create accountability and help reduce mistakes.
Contact your BKD advisor if you have questions.