Internal auditors are required to use their professional judgment when evaluating the effectiveness of an organization’s internal controls, corporate governance, and risk management practices. To do that efficiently, audit programs must be updated timely to ensure that departments are being held accountable not only to internal policies and procedures, but also to the outside regulatory world. Five key elements can help internal auditors ensure the completeness of the organization’s audit program around regulatory compliance.
1. Identifying Information Sources
Internal audit needs to stay abreast of regulatory changes and determine how to address them. A good starting point is reviewing relevant documents and articles from The IIA, such as Nancy Haig’s February 2020 Internal Auditor article, “A Plan for Regulatory Change.” In addition, internal auditors should maintain open dialogue with their organization’s compliance department and regulatory agencies to discuss current and upcoming rules and regulations and their impact on business operations. Other departments may be responsible for identification and risk assessment processes. Internal auditors need to keep that in mind when deciding on what process works best for them.
Supervisory insights or quarterly updates are also released on regulatory agency websites. Take, for example, a change to the U.S. Consumer Financial Protection Bureau’s (CFPB’s) Regulation B, which implements the Equal Credit Opportunity Act (ECOA) of 1974. This regulation outlines lending acts and practices that are prohibited, permitted, or required by creditors when extending credit to borrowers. An amendment to ECOA became effective on Jan. 1, 2014, and a subsequent change was made effective Jan. 1, 2018, both of which are outlined on the CFPB website. These types of regulatory updates should be incorporated into the appropriate audit program to ensure sufficient coverage for risks that the organization may face.
2. Determining Regulation Relevancy
Much of the process of identifying regulatory requirements involves understanding the organization, its overall goals and strategies, and the related business risks that may impact the achievement of objectives. Some organizations may identify regulatory guidance that applies to the industry but may not apply to it directly if the organization does not engage in certain transactions or business niches. As a result, the auditor may identify the regulation in a risk assessment and conclude testing is not applicable, stopping the change process. Including the regulation in a risk assessment provides the auditor and management reviewer the ability to show what was considered for testing and document any underlying reasoning.
A mandate in the Regulation B ECOA example requires that creditors provide a disclosure form to the applicant informing it of its right to receive a copy of all written appraisals within three days of application, unless the applicant waives the timing requirements. Auditors working in an institution with a large concentration in mortgage lending should make sure there are established procedures to comply with this regulation and test the effectiveness of those procedures. On the contrary, a commercial bank may not have to provide such a disclosure form to applicants, unless a portion of the commercial property or loan, itself, is secured by a one- to four-unit residential dwelling. Assuming the commercial bank has no such collateral in its loan portfolio, an auditor may identify the regulation and determine testing is not necessary.
3. Initiating a Change Request
When a regulatory update or change should be incorporated into the audit program, the auditor should discuss the proposed change with the chief audit executive (CAE). Feedback is solicited from the CAE to ensure proposed changes are not included in other programs to minimize duplication of efforts. Then, a formal change request memorandum should be submitted for approval.
To initiate a change, the auditor prepares a formal memorandum documenting the program step changes and the reason for the request. Then, the memorandum and attachments are electronically submitted to the CAE or designee for review and approval.
Formatting and content for change requests may vary by institution and management style, but incorporating these elements may be a good place to start:
- Requestor name.
- Date requested.
- Change description.
- Change reason.
- Proposed test procedures.
- Decision (accept, reject, other).
- Area for sign-off or electronic signature.
4. Approving Changes
All changes to internal audit programs must go through an approval process after submission to ensure they meet the needs of internal and external stakeholders. After the change request is submitted, internal audit management may either approve, reject, or request additional information or clarification. If approved, the changes are made to the respective program and a copy of the changes are given to the internal audit team and the audit committee. If additional information is requested or the change is rejected, the requestor should be notified and corrections should be made until all parties agree with the changes.
5. Implementing and Testing
Once final approval is received and changes are implemented in the audit program, the internal auditor will verify the effectiveness of internal controls and processes to ensure that standards and regulations are met. The internal auditor may incorporate the new audit procedures during the fieldwork phase of the next audit, or perform ad-hoc testing to verify internal controls are working as intended.
The complexity and scope of the change management process will vary based on the organization’s size, regulatory oversight, and management practices. Nevertheless, organizations should ensure they are keeping up with regulatory changes and have a systematic approach in place for updating audit programs. The auditor in charge of keeping programs up to date should determine what works for the department and the businesses it supports, which is key to ensuring the organization passes its next regulatory review.
Creating an Action Plan
With the abundance of literature, white papers, and continuing education available online, there are no excuses for an incomplete audit program around regulatory change. Keeping in mind the responsibility to the organization and stakeholders, internal auditors should create an action plan that they can review on an ongoing basis. Doing so not only ensures programs stay current and that the audit team identifies issues before they become material findings, but it also will cement internal audit’s status as a key advisor to business stakeholders.