Does Your Internal Audit Scope Meet Regulatory Standards?
A Two Part Series-Part One:-The Regulatory Standards
One of the areas of focus for the regulators of financial institutions in the upcoming months will be the scope of the outsourced audits. We have recently noted a number of clients that have been criticized for audit scopes that are either inadequate based upon risk, or are simply not comprehensive.
It is well established that the safe and sound operation of a financial institution requires among other things, a well-established system of internal controls. The regulatory agencies all have a similar definition of internal controls. For example, the Office of the Comptroller of the Currency in the Management handbook as follows:
Internal control is the systems, policies, procedures, and processes effected by the board of directors, management, and other personnel to safeguard bank assets, limit or control risks, and achieve a bank’s objectives.
Once a system of internal controls has been established by a Board of Directors, it is necessary to test the effectiveness of the controls and to make sure that bank personnel are adhering to the limits established. This is the role of internal audit. As the OCC handbook points out;
Internal audit provides an objective, independent review of bank activities, internal controls, and management information systems to help the board and management monitor and evaluate internal control adequacy and effectiveness.
Regular, comprehensive auditing of the operations of a financial institution are a necessary part of a safe and sound operation. All federally insured financial institutions are expected to maintain audit departments. However, for smaller institutions that cost of employing a full time internal audit staff has proven to be prohibitive. For most institutions with assets of less than $1 billion, the audit function have been at least partially outsourced.
Outsourcing of the audit function is a well-established a practice. The Federal Financial Institutions Examination Council (FFIEC”) recognized this when it issued a comprehensive policy statement on the process in 2003. The guidance is called “Interagency Policy Statement on the Internal Audit Function and its Outsourcing”. Since its release, there has been some additional guidance that has been issued that addresses outsourcing in more general terms . However, the guidance first issued in 2003 remains the seminal guide for outsourcing audit today.
Standards for Outsourcing
The FFIEC guidance makes it clear that the responsibility for internal controls remains with the Board and senior management of the financial institution.
Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.
The guidance is divided into four parts:
- The Internal Audit function
- Outsourcing Arrangements
- Independence of the public accountant
- Guidance for Regulators
The Audit Function
The guidance notes that the audit function is the mean by which the Board can test whether or not internal controls are effective.
Accordingly, directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution’s policies. 
The function of internal audit, then is ultimately to inform the Board, of weaknesses in internal controls and the possibility of regulatory violations. There is a great deal of discussion in this section about the reporting structure for the audit function. Ultimately, the critical point from this section is that whatever reporting structure is developed, the auditor must have the ability to report directly to the audit committee.
We note that in many smaller institutions, the results of audits are read out to business line managers and the final reports are delivered directly to the Board or to the audit committee of the Board. This process often does not allow the auditor in charge to communicate directly with the audit committee. A comprehensive scope should include a comment on the effectiveness of management to carry out their assigned duties. The guidance is specific that in small institutions, the person responsible for testing internal controls should report findings directly to the audit committee. As a best practice, a member of the audit committee should attend the exit meeting and allow the auditor to comment on any concerns that he/she feels should be directly communicated to the Board.
The guidance notes that even in the event that the audit function is completely outsourced, it is still the responsibility of the Board and management to ensure that internal controls are effective. The outsourced agreement should take into account both the current and anticipated business risks of the financial institution.
The guidance details the minimum requirements for an outsourcing agreement, including the limitation that outside auditors must not make management decisions and can only act in the capacity of informing the Board. Once again, the idea that the outside auditor should communicate directly with a representative of the Board is emphasized.
One of the areas of criticism that we are currently seeing is that the internal audit plans do not adequately consider factors that should be part of the risk assessment. Changes in staff, new regulatory requirements, software limitations, overall training and experience of management are all factors that should be considered when developing the internal audit plan. As a best practice, the scope of the audits to be performed by the outsourced auditor should reflect the fact that the Board has considered these factors and included them.
Independence of the Public Accountant
For many financial institutions, the temptation is to use the same accounting firm that prepares financial statements to perform internal audits. This issue presents itself most often with institutions that are over $500 million in assets, because there is a requirement for an independent audit on financial statements by a public accounting firm. Generally, the guidance limits the ability of public accounting firms to also be the outsourced audit firm.
For smaller institutions, there is no prohibition to use public accounting firms, however, the practice is strongly discouraged. In large part, the reason for this is that the firm that prepares the financial statement must be completely independent. The data that is used to prepare financial statements has to be independently verified. When the accounting firm performs both of these functions, the appearance is that independence is lacking. In other words, the firm that is preparing the financial statements of a bank may be auditing its own work.
There are several independent firms that specialize in auditing for financial institutions. These firms tend to provide cost effective and comprehensive alternatives to the public accounting firms.
Guidance for Regulators
The guidance specifies the goal of the examiners review of the internal audit. The examiners are directed to ensure that the audit scope reflects the risk assessment of the institution and the Board has directed the auditor to consider the areas that are the highest risk. The examiners are also directed to review the work papers of the auditor to ensure that they support the findings and conclusions in the audit report. Examiners will also review how findings are communicated to the Board and management. There is an expectation that responses to findings are tracked and monitored.
We have recently noted that the regulators are criticizing Boards for not receiving information about the overall effectiveness of the senior managers that they have employed. Examiners have often been critical when the audit report does not specifically draw a conclusion about the training, effectiveness and capabilities of the senior management in charge of the business line being audited. As we noted, it is a best practice to allow an outlet for the auditor to communicate a conclusion about senior management in the audit process.
In part two, we will discuss best practices for developing the audit scope.
 Comptroller’s Handbook-Internal Control 2001 page 1
 Ibid Page 1
 See for example, Supervision and Regulation (SR) letter 13-19/CA letter 13-21, “Guidance on Managing Outsourcing Risk.”
 Interagency Policy Statement on the Internal Audit Function and its Outsourcing