There’s a reason internal auditors are called the third line of defense. They ensure your financial institution’s operations are safe and compliant.
But how do you know your defense is strong enough? Regardless of whether your FI has an internal audit function or uses an audit firm, an audit program needs these five key elements:
1. Board Support & Access
To effectively carry out the mission of being the third line of defense, auditors must be independent and able to objectively assess the operations of an institution. When internal auditors report to the FI’s executives, they are sometimes afraid to report egregious violations or other types of findings that uncover questionable management. They don’t want to lose their jobs for simply being the messenger.
That’s why internal auditors should have direct access to the board or the audit committee (comprised of directors). It should also go without saying that auditors should not be fired because of audit reports, and any type of disciplinary action taken against an auditor should be reviewed by the board.
In addition, auditors will need the support of the board and from executives to obtain work papers and test samples from business units. To facilitate their audits and reviews, auditors should have the authority to communicate with business units and employees with little red tape. While executives are protective of their resources, audits are like a health checkup. If you stop going to your primary doctor for check-ups, the results could be much worse.
Once auditors have completed their assessments, financial institutions should protect their observations, findings, and recommendations by allowing the auditors to directly report them to the board. There is a fine line between being and giving someone an opportunity to respond and clarify, but this line should never be interpreted to allow business lines to obscure and modify an auditor’s assessment.
2. Independence
The best audit reports are those that can objectively assess any business function. Unfortunately, human nature prevents most people from being able to objectively assess their own work. There is an actual scientific term for judging our own work more favorably than our peers would: illusory superiority. That’s why most professions have instilled peer reviews and other types of practices to allow fresh, unbiased eyes to evaluate work.
The same idea endures in auditing. People who help build a compliance program or craft the policies, procedures, and internal controls will not be as good judges of their work as someone who has not spent their time crafting it. That’s why regulators stress the need for independent auditors who can objectively assess the effectiveness of a program and deliver unbiased findings and recommendations.
3. Risk-Based
FIs are required to comply with thousands of laws, regulations, and internal processes. However, resources are finite. Auditors have to take the same approach as all the functional Federal regulators—to allocate their resources to assess riskier practices or areas with a heightened risk for non-compliance or consumer harm. This means that the depth and frequency of an audit should consider the level of risk, but areas of lower risk should also be audited.
Auditors should not spend their time recreating the wheel. A good practice is to review risk assessments and focus on the areas where inherent risk is highest and audit the effectiveness of controls. If those controls are not mitigating the risk, this can have a dire impact on the institution.
A good audit plan should also take into account previous examinations and findings created by examiners. If an independent party has already identified an area of weakness, auditors should look at the activity undertaken to resolve deficiencies and ensure effectiveness. In addition, auditors can turn to recent enforcement actions and supervisory priorities to determine areas of perceived risk and regulatory scrutiny.
Don’t forget about the complaints! Consumer complaints can unveil tricky areas of compliance risk such as UDAAP and fair lending.
4. Expertise & Training
Whether it is financial statements, regulatory compliance, or operational risk, auditors need to be knowledgeable or they will not be effective. A common complaint we have heard from compliance officers is that they know more about compliance than the examiners and are often teaching them on the job. Audit teams will lose the respect, collaboration, and buy-in from those they audit if they are not knowledgeable.
Ensure your auditors have the appropriate training and understanding of the process they audit—otherwise, the results of the audit and the working relationships between the auditor and the institution will be lackluster. Auditors may not be the authorities on a specific regulation, but they should have access to specialists or the tools to become specialists in the field they audit. That means auditors should be as up-to-date with regulatory/institutional changes and leverage guidance documents as the experts in their institutions so they can ask the right questions.
5. Technology
From organizing files to planning your audits, technology makes auditors more effective. Depending on the level of complexity, risk profile, and size of the institution, audits can become unwieldy without the right tools. Find a technology partner that understands the types of audits required to be performed by FIs like yours. It should also support your institution’s operations, foster collaboration, and makes the job of organizing and retaining documents and presenting and resolving findings seamless.
This month Ncontracts is releasing Nverify, a comprehensive audit management tool that automates the audit process to ensure compliance while identifying opportunities for internal process improvement.
Request a demo if you’d like to learn more.