The views expressed in this presentation do not necessarily reflect those of the Federal Reserve...
-
Upload
lester-eaton -
Category
Documents
-
view
215 -
download
0
Transcript of The views expressed in this presentation do not necessarily reflect those of the Federal Reserve...
The views expressed in this presentation do not necessarily reflect those of
the Federal Reserve Bank of New York or the Federal Reserve System
Association of International Bank Auditors (AIBA) Conference
June 9, 2011
Current Role of Internal Audit
Presented by: Roseanne Farley, Examining Officer – Federal Reserve Bank of New York
2
Internal Audit and the Current Control Environment
Key areas impacting Internal Audit’s Role: Increased complexity of financial services
Changing and increasing role of supervision and regulation
Limits on budgets and resources
Increasing globalization of institutions, issues, and resources
Relationship of audit with key control functions
3
Audit Issues Impacting Foreign Banking Institutions
Development of global audit processes, procedures, and systems
Location of staff and use of head office staff at overseas locations
Tailoring of audit processes and procedures to specific jurisdictions and legal requirements
The impact of cultural issues on audit coverage
The relationship of audit with senior management at head office and in the locality
4
Evaluation of Internal Audit’s Independence and Staffing
Independence and Reporting Line Jurisdictional issues and differences
Adequacy of reporting to head office audit and roll-up to audit committee
Adequacy of audit staffing – sufficient staff with expertise in key areas; potential use of outsourcing or co-sourcing; adequate on the job training
Evaluation of local vs. overseas staff participating in audits
Determine adequacy of resources through analysis of audit’s work
Annual staff skill gap assessment
5
Internal Audit Processes
Sufficiency of audit processes
Identification of the audit universe
Internal audit methodology
Audit risk assessment and plan
Audit work – planning memo, scope, audit program, work papers, appropriate sample sizes, adequate documentation and cross-referencing
Audit reports
Audit tracking system
6
Internal Audit Methodology
Establish auditable entities - e.g. identify all legal entities, departments, corporate functions, geographic locations, committees – review at least once a year for changes
Analyze the risk of all auditable components using established risk factors
Determine the appropriate level of risk- Establish a risk hierarchy using a standard format – usually high, medium and low
7
Audit Risk Assessment and Plan
Identification of key risks within the institution separate from management
Format of the methodology: Risk-based Qualitative/quantitative factors Combination of risks and other factors Tailored to each institution
New plan developed every year
Normally part of a multi-year cycle - three or four years; some institutions using no cycle with high risk audited every year – need additional controls
Approved by the Audit Committee annually◦ justification for canceling or delaying specific audits
8
Audit Work
Audit Programs: Detailed programs for each auditable area Completed during the first audit and subsequently updated Coverage of key risks and controls in the area – may be linked to self-
assessment Evidences sufficient knowledge of the business Cross reference between risks, controls and audit tests
Audit Reports: Detailed analysis of the entire audit including executive summary,
detailed scope of planned audit, description of the work performed, analysis of conditions and/or rating, recommendations, management’s response (in most cases)
9
Audit Tracking System
Tracking system- spreadsheet or automated May identify issues by high, medium or low Identifying trends and root causes Methodology for clearance
Responses validated immediately or during next audit Reporting and escalation for open issues Significant items cleared in a timely manner
10
Continuous Monitoring/Auditing
Continuous Monitoring
Techniques used by internal audit: Regular meetings and discussions with management Participation on committees Review of self-assessment data Used to determine changes to audit coverage
Continuous Auditing Ongoing testing of key processes, risks, and controls Used of automated tools to detect patterns of control issues
11
Suggested Areas for Internal Audit Emphasis
Focus on systemic risk and both its impact on the institution and how the institution could create systemic risk in the financial services arena
Continued evaluation of governance and strategic processes
Compliance with all new rules and regulations
Emphasis on both individual business areas and cross-functional processes
Identification and escalation of thematic control issues
12
Suggested Areas for Internal Audit Emphasis
MIS and infrastructure weaknesses and changes
Understanding management’s business strategy and risk tolerance – clear articulation
Focus on potential areas of fraud risk
Use of operational risk loss data to identify common control weaknesses
13
Trends in Internal Audit
Most institutions still use a defined audit cycle
Increased emphasis on horizontal and targeted reviews
Use of enhanced continuous monitoring as a tool to identify emerging risks
Some increase in hiring due to additional demands on audit as a result of both the current environment and regulatory reform
Using Quality Assurance as a training tool
Global macro risk assessments identifying six or seven key areas impacting the institution
14
Continued Areas of Audit Weakness
Insufficient documentation in several areas risk assessment conclusions rationale for deferring audit work in work papers rationale for selecting a specific sample size
Additional date should be provided to head office audit or the Audit Committee
Lack of an internal Quality Assurance function or external Quality Assurance review
Insufficient sample sizes