To ensure the safe and sound operation of a financial institution, the board of directors and senior management must have in place an effective system of internal controls, including internal audit. When the internal audit function is properly structured and conducted, it gives directors and senior management vital information about the condition of the system of internal controls and identifies weaknesses so that management can take prompt, remedial action. To establish an effective internal audit function, the board of directors (or its audit committee) should establish an audit policy that outlines the framework and standards for which the audit function is expected to operate.
The policy and audit committee charter should take into consideration the size and complexity of the bank, with consideration given to the development of the following documents: Audit Committee Charter, Internal Audit Charter, Internal Audit Policy, and Internal Audit Procedures. The Institute of Internal Auditors (IIA) Standards acknowledge that no single policy will meet the needs of every audit committee or audit function.
For example, larger institutions have more formal policies and procedures, while smaller ones may have fewer, less complex policies that articulate the basic needs of the organization. More importantly, there should be existence of written, board-approved documentation to support the purpose of the audit function. Some of the following audit policy components are incorporated within IIA Standards, while others represent industry best practices. This overview covers the supervisory expectations to consider when developing an institution’s internal audit policy and audit committee charter,
The charter should identify the purpose of the audit committee. Components of the purpose statement may include, but should not be limited to, assisting the board of directors in fulfilling oversight responsibilities for financial reporting and internal controls, overseeing the audit process, and monitoring compliance with laws and regulations · Authority: The charter should define the audit committee’s authority.
The paragraph may include the committee’s authority regarding external auditors, disagreements between management and auditors, approving audit services, retaining experts (such as legal or accounting), and meeting with officers, auditors, or outside counsel. ·
Composition: The charter should articulate the composition of the audit committee, including the number of members, how the members are selected or elected, qualifications of the members, and independence. · Meetings: The charter should clearly communicate the number of mandated meetings, the authority to call special meetings, attendance requirements for the committee members. ·
Responsibilities: One of the most important components of the charter is to articulate the committee’s responsibilities, which may include: Review and approve audit’s risk assessment methodology and the resulting risk Assessment; Review and approve the annual audit plan and changes to the plan; Review and approve internal audit policy/(ies); Monitor compliance with applicable regulations; Monitor progress and outcome of special investigations; Review audit reports; Monitor remediation of audit and regulatory examination issues; Ensure internal auditors have unrestricted access to all areas of the bank; Review independence of internal and external auditors; Perform other activities as requested by the board, etc.
INTE RNAL AUDIT CHARTER AND/OR POLICY COMPOSITION Whether the bank’s internal audit activities are outsourced or conducted in-house, management should consider the following components when developing an internal audit charter and/or policy: · Policy objective/Purpose: The policy should address the objectives of the internal audit function. Phrases to describe the purpose of the function often include “conduct independent audit and objective assurance,” “provide advisory services,” “add value,” “improve the institution’s operations,”“help the EAGLE EYE, Q3, 2018 31 institution accomplish objectives,” and “improve risk management, control, and governance processes” · Scope of work: Although some banks address the scope of work within the purpose statement, some choose to make it a separate, more detailed section.
The scope of work should address the review and approval of the audit universe, audit risk assessment, audit plan, and work performed; ·
Authority: The policy should mandate the auditor’s authority, including unrestricted access to all business units, documents, and employees; · Independence/Institutional structure: Careful thought should be given to the placement of the audit function within the institution’s management structure. The board should evaluate the auditor’s independence and document mitigating controls; · Auditing standards: The bank’s audit policy (or charter) should identify how the audit function provides reasonable assurance as to the effectiveness of the system of internal controls. It is the responsibility of the audit committee to determine the extent of auditing that will effectively monitor the institution’s system of internal controls; · Outsourcing/Third parties: Although some banks use an outsourcing arrangement to execute internal audit activities, the ultimate responsibility for ensuring an effective system of internal controls rests with the board of directors and senior management. It is therefore incumbent on the board to establish a policy that governs the vendor management aspect of the outsourced relationship. Policy considerations would include the contract provisions, assessments of vendor competence, communication between the vendor and the institution, requirement that work product would be owned by the institution and subject to regulatory review, and contingency planning;
(Based on the size and complexity of the Bank, these items may be detailed in the policy or detailed in an audit procedures manual.) At a minimum, procedures should include the following
Risk assessments: Identification of the risk assessment methodology, including responsibility for preparation, risk rating definitions, frequency of updates, approval, and change control processes. An audit procedures manual may include methodology and details; Audit plan: Identification of the audit universe, corresponding risk rating (determined during the risk assessment process), audit cycle/frequency requirements, person responsible for change control, and mandates for audit committee annual review and ongoing reporting of status and changes; Reporting: Identification of management reporting. Requirements, timeliness of report preparation, definitions of report and/ or issue ratings, management response requirements (correction action plan, management responsibility for corrective action, and targeted remediation date), and reporting to the audit committee; Issue tracking and follow-up: Identification of requirements related to monitoring remediation o f issues noted , validation of corrective actions, a n d b o a r d ( audit committee ) updates.
· Reporting: The policy should include various types of reporting, frequency, and distribution. · Others: The policy should also include items related to record retention requirements for work papers, policy and procedural processes for sharing work papers with regulators, and the approval process for auditors to complete tasks outside of those defined as internal audit responsibilities. · References: · Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing and associated Practice Advisory guidance.