The views expressed in this presentation do not necessarily reflect those of

the Federal Reserve Bank of New York or the Federal Reserve System

Association of International Bank Auditors (AIBA) Conference

June 9, 2011

Current Role of Internal Audit

Presented by: Roseanne Farley, Examining Officer – Federal Reserve Bank of New York

2

Internal Audit and the Current Control Environment

Key areas impacting Internal Audit’s Role: Increased complexity of financial services

Changing and increasing role of supervision and regulation

Limits on budgets and resources

Increasing globalization of institutions, issues, and resources

Relationship of audit with key control functions

3

Audit Issues Impacting Foreign Banking Institutions

Development of global audit processes, procedures, and systems

Location of staff and use of head office staff at overseas locations

Tailoring of audit processes and procedures to specific jurisdictions and legal requirements

The impact of cultural issues on audit coverage

The relationship of audit with senior management at head office and in the locality

4

Evaluation of Internal Audit’s Independence and Staffing

Independence and Reporting Line Jurisdictional issues and differences

Adequacy of reporting to head office audit and roll-up to audit committee

Adequacy of audit staffing – sufficient staff with expertise in key areas; potential use of outsourcing or co-sourcing; adequate on the job training

Evaluation of local vs. overseas staff participating in audits

Determine adequacy of resources through analysis of audit’s work

Annual staff skill gap assessment

5

Internal Audit Processes

Sufficiency of audit processes

Identification of the audit universe

Internal audit methodology

Audit risk assessment and plan

Audit work – planning memo, scope, audit program, work papers, appropriate sample sizes, adequate documentation and cross-referencing

Audit reports

Audit tracking system

6

Internal Audit Methodology

Establish auditable entities - e.g. identify all legal entities, departments, corporate functions, geographic locations, committees – review at least once a year for changes

Analyze the risk of all auditable components using established risk factors

Determine the appropriate level of risk- Establish a risk hierarchy using a standard format – usually high, medium and low

7

Audit Risk Assessment and Plan

Identification of key risks within the institution separate from management

Format of the methodology: Risk-based Qualitative/quantitative factors Combination of risks and other factors Tailored to each institution

New plan developed every year

Normally part of a multi-year cycle - three or four years; some institutions using no cycle with high risk audited every year – need additional controls

Approved by the Audit Committee annually◦ justification for canceling or delaying specific audits

8

Audit Work

Audit Programs: Detailed programs for each auditable area Completed during the first audit and subsequently updated Coverage of key risks and controls in the area – may be linked to self-

assessment Evidences sufficient knowledge of the business Cross reference between risks, controls and audit tests

Audit Reports: Detailed analysis of the entire audit including executive summary,

detailed scope of planned audit, description of the work performed, analysis of conditions and/or rating, recommendations, management’s response (in most cases)

9

Audit Tracking System

Tracking system- spreadsheet or automated May identify issues by high, medium or low Identifying trends and root causes Methodology for clearance

Responses validated immediately or during next audit Reporting and escalation for open issues Significant items cleared in a timely manner

10

Continuous Monitoring/Auditing

Continuous Monitoring

Techniques used by internal audit: Regular meetings and discussions with management Participation on committees Review of self-assessment data Used to determine changes to audit coverage

Continuous Auditing Ongoing testing of key processes, risks, and controls Used of automated tools to detect patterns of control issues

11

Suggested Areas for Internal Audit Emphasis

Focus on systemic risk and both its impact on the institution and how the institution could create systemic risk in the financial services arena

Continued evaluation of governance and strategic processes

Compliance with all new rules and regulations

Emphasis on both individual business areas and cross-functional processes

Identification and escalation of thematic control issues

12

Suggested Areas for Internal Audit Emphasis

MIS and infrastructure weaknesses and changes

Understanding management’s business strategy and risk tolerance – clear articulation

Focus on potential areas of fraud risk

Use of operational risk loss data to identify common control weaknesses

13

Trends in Internal Audit

Most institutions still use a defined audit cycle

Increased emphasis on horizontal and targeted reviews

Use of enhanced continuous monitoring as a tool to identify emerging risks

Some increase in hiring due to additional demands on audit as a result of both the current environment and regulatory reform

Using Quality Assurance as a training tool

Global macro risk assessments identifying six or seven key areas impacting the institution

14

Continued Areas of Audit Weakness

Insufficient documentation in several areas risk assessment conclusions rationale for deferring audit work in work papers rationale for selecting a specific sample size

Additional date should be provided to head office audit or the Audit Committee

Lack of an internal Quality Assurance function or external Quality Assurance review

Insufficient sample sizes