AUDIT SYSTEMS—Internal Audit Function and Its Outsourcing; Supplemental Policy Statement

A. Risk analysis. Internal audit should analyze the effectiveness of all critical risk-management functions both with respect to individual risk dimensions (for example, credit risk), and an institution’s overall risk-management function. The analysis should focus on the nature and extent of monitoring compliance with established policies and processes and applicable laws and regulations within the institution as well as whether monitoring processes are appropriate for the institution’s business activities and the associated risks.

B. Thematic control issues. Internal audit should identify thematic macro control issues as part of its risk-assessment processes and determine the overall impact of such issues on the institution’s risk profile. Additional audit coverage would be expected in business activities that present the highest risk to the institution. Internal audit coverage should reflect the identification of thematic macro control issues across the firm in all auditable areas. Internal audit should communicate thematic macro control issues to senior management and the audit committee.

 In addition, internal audit should identify patterns of thematic macro control issues, determine whether additional audit coverage is required, communicate such control deficiencies to senior management and the audit committee, and ensure management establishes effective remediation mechanisms.

C. Challenging management and policy. Internal audit should challenge management to adopt appropriate policies and procedures and effective controls. If policies, procedures, and internal controls are ineffective or insufficient in a particular line of business or activity, internal audit should report specific deficiencies to senior management and the audit committee with recommended remediation. Such recommendations may include restricting business activity in affected lines of business until effective policies, procedures, and controls are designed and implemented. Internal audit should monitor management’s corrective action and conduct a follow-up review to confirm that the recommendations of both internal audit and the audit committee have been addressed.

D. Infrastructure. When an institution designs and implements infrastructure enhancements, internal audit should review significant changes and notify management of potential internal control issues. In particular, internal audit should ensure that existing, effective internal controls (for example, software applications and management information system reporting) are not rendered ineffective as a result of infrastructure changes unless those controls are compensated for by other improvements to internal controls.

E. Risk tolerance. Internal audit should understand risks faced by the institution and confirm that the board of directors and senior management are actively involved in setting and monitoring compliance with the institution’s risk tolerance limits. Internal audit should evaluate the reasonableness of established limits and perform sufficient testing to ensure that management is operating within these limits and other restrictions.

F. Governance and strategic objectives. Internal audit should evaluate governance at all management levels within the institution, including at the senior management level, and within all significant business lines. Internal audit should also evaluate the adequacy and effectiveness of controls to respond to risks within the organization’s governance, operations, and information systems in achieving the organization’s strategic objectives. Any concerns should be communicated by internal audit to the board of directors and senior management.

A. Attributes of internal audit.

Independence. Internal audit is an independent function that supports the organization’s business objectives and evaluates the effectiveness of risk-management, control, and governance processes. The 2003 policy statement addressed the structure of an internal audit function, noting that it should be positioned so that an institution’s board of directors has confidence that the internal audit function can be impartial and not unduly influenced by managers of day-to-day operations. Thus, the member of management responsible for the internal audit function (hereafter referred to as the chief audit executive or CAE)⁶ should have no responsibility for operating the system of internal control and should report functionally to the audit committee. A reporting arrangement may be used in which the CAE is functionally accountable and reports directly to the audit committee on internal audit matters (that is, the audit plan, audit findings, and the CAE’s job performance and compensation) and reports administratively to another senior member of management who is not responsible for operational activities reviewed by internal audit. When there is an administrative reporting of the CAE to another member of senior management, the objectivity of internal audit is served best when the CAE reports administratively to the chief executive officer (CEO).

 If the CAE reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE. In such instances, the audit committee should periodically (at least annually) evaluate whether the CAE is impartial and not unduly influenced by the administrative reporting line arrangement. Further, conflicts of interest for the CAE and all other audit staff should be monitored at least annually with appropriate restrictions placed on auditing areas where conflicts may occur.

 For foreign banking organizations (FBOs), the internal audit function for the U.S. operations of an FBO should have appropriate independent oversight for the total assets of U.S. operations.⁷ When there is a resident U.S. audit function, the CAE of the U.S. audit function should report directly to senior officials of the internal audit department at the head office such as the global CAE. If the FBO has separate U.S. subsidiaries, oversight may be provided by a U.S.-based audit committee that meets U.S. public company standards for independence or by the foreign parent company’s internal audit function.

Professional competence and staffing. Internal audit staff should have the requisite collective skill levels to audit all areas of the institution. Therefore, auditors should have a wide range of business knowledge, demonstrated through years of audit and industry-specific experience, educational background, professional certifications, training programs, committee participation, professional associations, and job rotational assignments. Internal audit should assign staff to audit assignments based on areas of expertise and, when feasible, rotate staff within the audit function.

 Internal audit management should perform knowledge gap assessments at least annually to evaluate whether current staff members have the knowledge and skills commensurate with the institution’s strategy and operations. Management feedback surveys and internal or external quality assurance findings are useful tools to identify and assess knowledge gaps. Any identified knowledge gaps should be filled and may be addressed through targeted staff hires, training, business line rotation programs, and outsourcing arrangements. The internal audit function should have an effective staff training program to advance professional development and should have a process to evaluate and monitor the quality and appropriateness of training provided to each auditor. Internal auditors generally receive a minimum of forty hours of training in a given year.

Objectivity and ethics. Internal auditors should be objective, which means performing assignments free from bias and interference. A major characteristic of objectivity is that the CAE and all internal audit professional staff avoid any conflicts of interest.⁸ For their first year in the internal audit function, internally recruited internal auditors should not audit activities for which they were previously responsible. Moreover, compensation schemes should not provide incentives for internal auditors to act contrary to the attributes and objectives of the internal audit function.⁹ While an internal auditor may recommend internal control standards or review management’s procedures before implementation, objectivity requires that the internal auditor not be responsible for the design, installation, procedures development, or operations of the institution’s internal control systems.

 An institution’s internal audit function should have a code of ethics that emphasizes the principles of objectivity, competence, confidentiality, and integrity, consistent with professional internal audit guidance such as the code of ethics established by the IIA.

Internal audit charter. Each institution should have an internal audit charter that describes the purpose, authority, and responsibility of the internal audit function. An audit charter should include the following critical components:

The charter should be approved by the audit committee of the institution’s board of directors. The charter should provide the internal audit function with the authorization to access the institution’s records, personnel, and physical properties relevant to the performance of internal audit procedures, including the authority to examine any activities or entities. Periodically, the CAE should evaluate whether the charter continues to be adequate, requesting the approval of the audit committee for any revisions. The charter should define the criteria for when and how the internal audit function may outsource some of its work to external experts.

B. Corporate governance considerations.

Board of directors and senior management responsibilities. The board of directors and senior management are responsible for ensuring that the institution has an effective system of internal controls. As indicated in the 2003 policy statement, this responsibility cannot be delegated to others within the institution or to external parties. Further, the board of directors and senior management are responsible for ensuring that internal controls are operating effectively.

Audit committee responsibilities. An institution’s audit committee is responsible for establishing an appropriate internal audit function and ensuring that it operates adequately and effectively. The audit committee should be confident that the internal audit function addresses the risks and meets the demands posed by the institution’s current and planned activities. Moreover, the audit committee is expected to retain oversight responsibility for any aspects of the internal audit function that are outsourced to a third party.

 The audit committee should provide oversight to the internal audit function. Audit committee meetings should be on a frequency that facilitates this oversight and generally should be held four times a year at a minimum, with additional meetings held by audit committees of larger financial institutions. Annually, the audit committee should review and approve internal audit’s charter, budget and staffing levels, and the audit plan and overall risk-assessment methodology. The committee approves the CAE’s hiring, annual performance evaluation, and compensation.

 The audit committee and its chairperson should have ongoing interaction with the CAE separate from formally scheduled meetings to remain current on any internal audit department, organizational, or industry concerns. In addition, the audit committee should have executive sessions with the CAE without members of senior management present as needed.

 The audit committee should receive appropriate levels of management information to fulfill its oversight responsibilities. At a minimum, the audit committee should receive the following data with respect to internal audit:

Role of the chief audit executive. In addition to communicating and reporting to the audit committee on audit-related matters, the CAE is responsible for developing and maintaining a quality assurance and improvement program that covers all aspects of internal audit activity, and for continuously monitoring the effectiveness of the audit function. The CAE and/or senior staff should effectively manage and monitor all aspects of audit work on an ongoing basis, including any audit work that is outsourced.¹⁰

C. The adequacy of the internal audit function’s processes. Internal audit should have an understanding of the institution’s strategy and operating processes as well as the potential impact of current market and macroeconomic conditions on the financial institution. Internal audit’s risk-assessment methodology is an integral part of the evaluation of overall policies, procedures, and controls at the institution and the development of a plan to test those processes.

Audit methodology. Internal audit should ensure that it has a well-developed risk-assessment methodology that drives its risk-assessment process. The methodology should include an analysis of cross-institutional risk and thematic control issues and address its processes and procedures for evaluating the effectiveness of risk-management, control, and governance processes. The methodology should also address the role of continuous monitoring in determining and evaluating risk, as well as internal audit’s process for incorporating other risk identification techniques that the institution’s management utilizes such as a risk and control self-assessment (RCSA). The components of an effective methodology should support the internal audit function’s assessment of the control environment, beginning with an evaluation of the audit universe.

Audit universe. Internal audit should have effective processes to identify all auditable entities within the audit universe. The number of auditable entities will depend upon whether entities are captured at individual department levels or at other aggregated organizational levels. Internal audit should use its knowledge of the institution to determine whether it has identified all auditable entities and may use the general ledger, cost centers, new product approval processes, organization charts, department listings, knowledge of the institution’s products and services, major operating and application systems, significant laws and regulations, or other data. The audit universe should be documented and reviewed periodically as significant organizational changes occur or at least during the annual audit planning process.

Internal audit risk assessment. A risk assessment should document the internal audit staff’s understanding of the institution’s significant business activities and the associated risks. These assessments typically analyze the risks inherent in a given business line or process, the mitigating control processes, and the resulting residual risk exposure to the institution.

 A comprehensive risk assessment should effectively analyze the key risks (and the critical risk-management functions) within the institution and prioritize audit entities within the audit universe. The risk-assessment process should be well documented and dynamic, reflecting changes to the system of internal controls, infrastructure, work processes, and new or changed business lines or laws and regulations. The risk assessments should also consider thematic control issues, risk tolerance, and governance within the institution. Risk assessments should be revised in light of changing market conditions or laws and regulations and updated during the year as changes are identified in the business activities of the institution or observed in the markets in which the institution operates, but no less than annually. When the risk assessment indicates a change in risk, the audit plan should be reviewed to determine whether the planned audit coverage should be increased or decreased to address the revised assessment of risk.

 Risk assessments should be formally documented and supported with written analysis of the risks.¹¹ There should be risk assessments for critical risk-management functions within the institution. Risk assessments may be quantitative or qualitative and may include factors such as the date of the last audit, prior audit results, the impact and likelihood of an event occurring, and the status of external vendor relationships. A management RCSA, if performed, may be considered by the internal audit function in developing its independent risk assessment. The internal audit risk assessment should also include a specific rationale for the overall auditable entity risk score. The overall disposition of the risk assessment should be summarized with consideration given to key performance or risk indicators and prior audit results. A high-level summary or discussion of the risk-assessment results should be provided to the audit committee and include the most significant risks facing the institution as well as how these risks have been addressed in the internal audit plan.

Internal audit plan. Internal audit should develop and periodically revise its comprehensive audit plan and ensure that audit coverage for all identified, auditable entities within the audit universe is appropriate for the size and complexity of the institution’s activities. This should be accomplished either through a multi-year plan approach, with the plan revised annually, or through an approach that utilizes a framework to evaluate risks annually focusing on the most significant risks. In the latter approach, there should be a mechanism in place to identify when a significant risk will not be audited in the specified timeframe and a requirement to notify the audit committee and seek its approval of any exception to the framework. Generally, common practice for institutions with defined audit cycles is to follow either a 3- or 4-year audit cycle; high-risk areas should be audited at least every 12 to 18 months.¹²

 The internal audit plan should consider the risk assessment and internal audit’s approach to audit coverage should be appropriate based on the risk assessment. An effective plan covers individual business areas and risk disciplines as well as cross-functional and cross-institutional areas.

 The audit planning process should be dynamic, allowing for change when necessary. The process should include a process for modifying the internal audit plan to incorporate significant changes that are identified either through continuous monitoring or during an audit. Any significant changes should be clearly documented and included in quarterly communications to the audit committee. Critical data to be reported to the audit committee should include deferred or cancelled audits rated high-risk and other significant additions or deletions. Significant changes to audit budgets and timeliness for the completion of audits should be reported to the audit committee with documented rationale.

Internal audit continuous monitoring. Internal audit is encouraged to utilize formal continuous monitoring practices as part of the function’s risk-assessment processes to support adjustments to the audit plan or universe as they occur. Continuous monitoring can be conducted by an assigned group or individual internal auditors. An effective continuous monitoring process should include written standards to ensure consistent application of processes throughout the organization.

 Continuous monitoring results should be documented through a combination of metrics, management reporting, periodic audit summaries, and updated risk assessments to substantiate that the process is operating as designed. Critical issues identified through the monitoring process should be communicated to the audit committee. Computer-assisted auditing techniques are useful tools to highlight issues that warrant further consideration within a continuous monitoring process.

D. Internal audit performance and monitoring processes.

Performance. Detailed guidance related to the performance of an internal audit should be documented in the audit manual¹³ and work programs to ensure that audit execution is consistent across the audit function. Internal audit policies and procedures should be designed to ensure that audits are executed in a high-quality manner, their results are appropriately communicated, and issues are monitored and appropriately resolved. In performing internal audit work, an institution should consider the following.

Retrospective review processes. When an adverse event occurs at an institution (for example, fraud or a significant loss), management should conduct a post-mortem and “lessons learned” analysis. In these situations, internal audit should ensure that such a review takes place and appropriate action is taken to remediate identified issues. The internal audit function should evaluate management’s analysis of the reasons for the event and whether the adverse event was the result of a control breakdown or failure, and identify the measures that should be put in place to prevent a similar event from occurring in the future. In certain situations, the internal audit function should conduct its own post-mortem and a “lessons learned” analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in internal audit processes).

Quality assurance and improvement program. A well-designed, comprehensive quality assurance program should ensure that internal audit activities conform to the IIA’s professional standards and the institution’s internal audit policies and procedures. The program should include both internal and external quality assessments.

 The internal audit function should develop and document its internal assessment program to promote and assess the quality and consistency of audit work across all audit groups with respect to policies, procedures, audit performance, and work papers. The quality assurance review should be performed by someone independent of the audit work being reviewed. Conclusions reached and recommendations for appropriate improvement in internal audit process or staff training should be implemented by the CAE through the quality assurance and improvement program. Action plan progress should be monitored and subsequently closed after a period of sustainability. Each institution should conduct an internal quality assessment annually and the CAE should report the results and status of internal assessments to senior management and the audit committee at least annually.

 The IIA recommends that an external quality assessment of internal audit be performed by a qualified independent party at least once every five years. The review should address compliance with the IIA’s definition of internal auditing, code of ethics, and standards, as well as with the internal audit function’s charter, policies and procedures, and any applicable legislative and regulatory requirements. The CAE should communicate the results, planned actions, and status of remediation efforts to senior management and the audit committee.

A. Vendor competence. An institution should have appropriate policies and procedures governing the selection and oversight of internal audit vendors, including whether to continue with an existing outsourced arrangement. The audit committee and the CAE are responsible for the selection and retention of internal audit vendors and should be aware of factors that may impact vendors’ competence and ability to deliver high-quality audit services.

B. Contingency planning. An institution’s contingency plan should take into consideration the extent to which the institution relies upon outsourcing arrangements. When an institution relies significantly on the resources of an internal audit service provider, the institution should have contingency procedures for managing temporary or permanent disruptions in the service in order to ensure that the internal audit function can meet its intended objectives.

C. Quality of audit work. The quality of audit work performed by the vendor should be consistent with the institution’s standards of work expected to be performed by an in-house internal audit department. Further, information supplied by the vendor should provide the board of directors, its audit committee, and senior management with an accurate report on the control environment, including any changes necessary to enhance controls.

A. Depository institutions subject to the annual audit and reporting requirements of section 36 of the FDI Act. The July 2009 amendments to section 36 of the FDI Act (applicable to insured depository institutions with total assets of $500 million or more) require an institution’s external auditor to follow the more restrictive of the independence rules issued by the AICPA, SEC, and PCAOB. In March 2003, the SEC prohibited a registered public accounting firm that is responsible for furnishing an opinion on the consolidated or separate financial statements of an audit client from providing internal audit services to that same client.¹⁵ Therefore, by following the more restrictive independence rules, a depository institution’s external auditor is precluded from performing internal audit services, either on a co-sourced or an outsourced basis, even if the institution is not a public company.

A. Determining the overall effectiveness of internal audit. An effective internal audit function is a vehicle to advance an institution’s safety and soundness and compliance with consumer laws and regulations and is therefore considered as part of the supervisory review process. Federal Reserve examiners will make an overall determination as to whether the internal audit function and its processes are effective or ineffective and whether examiners can potentially rely upon internal audit’s work as part of the supervisory review process. If internal audit’s overall processes are deemed effective, examiners may be able to rely on the work performed by internal audit depending on the nature and risk of the functions subject to examination.

 The supervisory assessment of internal audit and its effectiveness will consider an institution’s application of the 2003 policy statement and this supplemental guidance. An institution’s internal audit function generally would be considered effective if the institution’s internal audit function structure and practices are consistent with the 2003 policy statement and this guidance. Conversely, an institution’s internal audit function that does not follow the enhanced practices and supplemental guidance outlined in this policy letter generally will be considered ineffective. In such a case, examiners will not rely on the institution’s internal audit function.

 Examiners will inform the CAE as to whether the function is deemed to be effective or ineffective. Internal audit’s overall processes could be deemed effective even though some aspects of the internal audit function may require enhancements or improvements such as additional documentation with respect to specific audit processes (for example, risk assessments or work papers). In these situations, the required enhancements or improvements generally should not be a critical part of the overall internal audit function, or the function should be deemed to be ineffective.

B. Relying on the work performed by internal audit. Examiners may rely on internal audit at supervised institutions if internal audit was deemed effective at the most recent examination of internal audit. In examining an institution’s internal audit function, examiners will supplement their examination procedures through continuous monitoring and an assessment of key elements of internal audit, including: (i) the adequacy and independence of the audit committee; (ii) the independence, professional competence, and quality of the internal audit function; (iii) the quality and scope of the audit methodology, audit plan, and risk assessment; and (iv) the adequacy of audit programs and work paper standards. On at least an annual basis, examiners should review these key elements to determine whether there have been significant changes in the internal audit infrastructure or whether there are potential concerns regarding their adequacy.

 Examiners may choose to rely on the work of internal audit when internal audit’s overall function and related processes are effective and when recent work was performed by internal audit in an area where examiners are performing examination procedures. For example, if an internal audit department performs internal audit work in an area where examiners might also review controls, examiners may evaluate whether they can rely on the work of internal audit (and either eliminate or reduce the testing scheduled as part of the regulatory examination processes). In high-risk areas, examiners will consider whether additional examination work is needed even where internal audit has been deemed effective and its work reliable.