Internal/External Audit and Internal Controls

1
Internal/External Audit and Internal Controls

• February 23, 2000
• David Dudley
• Federal Reserve Bank of NY

2
Outline of Presentation

• Internal Control Concepts
• Role of Internal and External Audit

3
Definition of Internal Control

• Internal control is a process effected by an
  entitys Board of Directors and Senior Management
  and other personnel designed to provide
  reasonable assurance regarding three objectives
  and five components

4
Three Objectivesof Internal Control

• Effectiveness and efficiency of operations
  (including safeguarding of assets)
• Reliability of financial reporting
• Compliance with applicable laws and regulations

5
Five Componentsof Internal Control

• Control Environment - tone at the top
• Risk Assessment - managements identification of
  key risks
• Control Activities - entity level and activity
  level
• Information and Communication - internal and
  external
• Monitoring - adequacy of controls over time

6
Control Environment

• Integrity and Ethical Values
• Commitment to Competence
• Managements Philosophy/ Operating Style
• Organizational Structure
• Assignment of Authority and Responsibility
• Board of Directors and/or Audit Committee
  Participation
• Human Resources Policies and Procedures

7
Risk Assessment Objectives

• Identification and analysis of objectives
• Activities to achieve objectives
• Risk exposure
• Management of risk exposure

8
Control Activities

• Two elements
• Policies
• Procedures

9
Types of Control Activities

• Authorization or approval
• Verification
• Reconciliation
• Segregation of duties
• Operating performance reviews
• Security of assets

• Physical/logical security reviews
• Supervisory reviews
• Two week vacation policy
• System checks
• Limits
• Review of MIS data

10
Information andCommunications

• Identification
• Capture
• Exchange

11
Monitoring

• Ongoing Activities
• Separate Evaluations

12
Context of Controls

• A function of Entitys
• Size, organization, ownership
• Nature of business
• Diversity and complexity
• Methods of transmitting, processing and retaining
  information
• Applicable laws and regulations

13
Preventative vs.Detective Controls

• Preventative - prevents undesirable events
• Detective - detects errors and irregularities
  that have already occurred

14
Limitations

• Small Offices
• Collusion
• Ignorance
• Pace of business/Growth
• Judgment
• Cost
• Management override

15
International Emphasison Internal Controls

• Basel Committee on Banking Supervision
• Framework for the Evaluation of Internal Controls
• Policy Statement finalized September 1998
• Identifies Causes of Recent Banking Problems

16
Internal Control Breakdowns - Basel Report
Conclusions

• Lack of adequate management oversight and
  accountability failure to develop a strong
  control culture
• Inadequate assessment of the risks of certain
  banking activities
• Absence or failure of key control structures and
  activities
• Inadequate communication of information between
  levels of management
• Inadequate or ineffective audit programs and
  other monitoring activities

17
Internal Control Breakdowns

• Causes
• Inadequate evaluation of new business risks
• Insufficient segregation of duties
• Ineffective management oversight
• Absence of a separate monitoring mechanism

18
Internal Control Breakdowns

• Internal audit deficiencies
• Untimely or piecemeal audits
• Ineffective follow-up
• Unfamiliarity with business procedures
• No training in sophisticated areas

19
Framework for theEvaluation of Internal Controls

• Purpose To be used by bank regulators to
  evaluate internal control systems
• Consists of thirteen general principles
  applicable to all banking institutions

20
Thirteen Principles

• Management Oversight (3)
• Board should approve strategies, policies and
  risk appetite
• Senior management should implement board
  strategies and policies
• Board and senior management should promote high
  ethical standards

21
Thirteen Principles

• Risk Recognition Assessment (1)
• Senior management should identify and evaluate
  risk factors
• Control Activities and Segregation of Duties (2)
• Control activities should be integral part of
  daily activities of institution
• Senior management should ensure appropriate
  segregation of duties

22
Thirteen Principles

• Information and Communications (3)
• Senior management should have adequate and
  comprehensive data
• Senior management should create effective
  channels of communication for relevant
  information concerning significant activities
• Senior management should develop appropriate
  information systems for all activities

23
Thirteen Principles

• Monitoring Activities and Correcting Deficiencies
  (3)
• Senior management should monitor overall
  effectiveness of internal controls
• Audit should perform effective and comprehensive
  audits
• Audit will ensure that internal control
  deficiencies promptly reported to management

24
Thirteen Principles

• Evaluation of Internal Control Systems by
  Supervisory Authorities (1)
• Supervisors should require all banks to have
  effective internal control systems

25
Comprehensive Internal Controls

• Key elements of internal controls
• Adequate segregation of duties
• Independent testing - e.g., audit
• Appropriate to the type and level of risks
• Clear lines of authority and responsibility
• Appropriate reporting lines

26
Role of External Audit

• Macro Level
• Depends upon services provided
• Financial Statement Audit
• Directors Examination
• Consulting

27
Evaluation of External Audit

• Depends upon the services provided
• Review of financial statements and management
  letters
• Discussion of key risks
• Review of work papers

28
Role of Internal Audit

• Detail-oriented
• An independent assessment of the effectiveness of
  internal controls

29
Evaluation of Internal Audit

• Overall effectiveness of the function
• Independence
• Mission
• Resources/qualifications/skills
• Interaction with Senior Management

30
Mission

• Audit Charter
• Roles, reporting lines and responsibilities
• Full access to all information

31
Independence

• Reporting line
• Domestic - Audit Committee of the Board of
  Directors
• US branches and agencies of foreign banks - head
  office audit
• Administrative reporting line to Senior
  Management
• Includes approval of the annual plan, salary,
  budgets and sign-off on the annual appraisal

32
Audit Resources

• Sufficiency of resources
• Qualifications of staff
• Skill level and training

33
Interaction withSenior Management

• Level of audit within the organization
• Audits dealings with Senior Management
• Prompt resolution of issues by management

34
Quality Timeliness

• Risk assessment methodology
• Annual audit plan
• Types of audit coverage
• Audit programs
• Audit reports and work papers
• Audit follow-up

35
Risk Assessment Methodology

• Identification of key risks within the
  institution
• Format of the methodology
• Risk-based
• Qualitative and/or quantitative factors
• Combination of risks and/or other factors

36
Sample Factors - Risk Assessment

• Credit risk
• Market risk
• Liquidity risk
• Operations risk
• Reputational risk
• Legal risk

• Fraud risk
• Trading risk
• Credit and sales risk
• Control environment
• Reporting risk
• Revenue or expense volatility

37
Sample Factors - Risk Assessment

• Transactional values/volumes and changes
• Error impact
• Nature of process
• Reliance on data
• Access to physical assets
• Economic or political trends

• Quality of management or department head
• Staff quality and changes
• Degree of management judgment and quality of
  supervision
• Product changes
• Legal/regulatory impact

38
Annual Audit Plan

• Based upon the risk assessment methodology
• Normally part of a multi-year cycle
• Approved by the Board of Directors or head office
  audit
• Quarterly - Updates to the plan
• Detailed analysis of changes to the plan

39
Types of Audit Coverage

• Full scope audits
• Control self-assessments
• Key control or risk reviews
• Targeted audits
• Continuous monitoring
• Conversion/system development audits/ data center
  and application reviews

40
Audit Programs

• Detailed programs for each auditable area
• Completed during the first audit and subsequently
  updated
• Coverage of key risks and controls in the area
• Appropriate sampling methodology

41
Audit Reports and Work Papers

• Audit Reports
• Detailed Analysis
• executive summary
• description of the work performed
• analysis of conditions and/or rating
• Audit Work Papers
• proper documentation and cross-referencing
• appropriate narratives and conclusions

42
Exception Follow-up

• Tracking system or methodology
• Issue/Problem, Status of corrective action,
  Accountability, Timeframe
• Head Office Commitment and Support
• Significant items cleared in a timely manner
• Progress, Approval

43
Audit Outsourcing

• The performance of internal audit activities by
  an external party such as a CPA firm.
• Co-sourcing, contracting
• Issues
• Independence, conflict of interest,work
  management, understanding of the corporate
  culture, continuity

44
Overall Evaluation of Internal Audit

• Positive evaluation - determine extent of
  reliance on internal audit
• Issues - include in the examination report
• Annually - analyze changes in audit

45
Relying upon External Audit

• Nature of the work performed
• Financial audits
• Other control reviews
• Outsourcing or Co-sourcing

46
The End