Every now and then, regulatory bodies around the world issue guidance documents that make a profound statement about internal auditing. Last week, the U.S. Federal Reserve issued some new guidance that clearly falls into that category.
The 15-page document, titled Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, technically applies only to U.S. banks with assets of US $10 billion or more. However, from my perspective, the Fed has made a powerful statement on the importance of a strong and effective internal audit function in financial services institutions in the "post financial crisis" era.
With this statement, the Federal Reserve also comes closer than virtually any other regulator in the industry to endorsing or mandating The IIA's International Standards for the Professional Practice of Internal Auditing. In fact, the document's opening paragraph asserts:
"The Federal Reserve is providing this supplemental guidance to enhance regulated institutions' internal audit practices and to encourage them to adopt professional standards and other authoritative guidance, including those issued by The Institute of Internal Auditors."
The guidance, which addresses the characteristics, governance, and operational effectiveness of an organization's internal audit function, includes the following key provisions:
- If the chief audit executive (CAE) reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE.
- Internal audit management should perform knowledge gap assessments at least annually to evaluate whether staff members have the knowledge and skills commensurate with the organization's strategy and operations.
- Internal auditors generally should receive a minimum of 40 hours of training annually.
- The internal audit function should have a code of ethics that emphasizes the principles of objectivity, competence, confidentiality, and integrity, consistent with professional internal audit guidance such as The IIA's Code of Ethics.
- The internal audit charter should define criteria for when and how the internal audit function may outsource some of its work to external experts.
- The audit committee and its chairperson should have ongoing interaction with the CAE separate from formally scheduled meetings to remain current on internal audit department, organizational, and industry concerns.
- The audit committee should receive an opinion on the adequacy of risk management processes at least annually, including the effectiveness of management's self-assessment and remediation of identified issues.
- Internal audit's risk-assessment methodology is an integral part of the evaluation of overall policies, procedures, and controls at the organization and the development of a plan to test those processes.
- Internal audit's risk-assessment methodology should address the role of continuous monitoring in determining and evaluating risk.
- It's common practice for organizations with defined audit cycles to follow a three- or four-year audit cycle; high-risk areas should be audited at least every 12 to 18 months.
- Internal audit is encouraged to use formal continuous monitoring practices as part of the function's risk-assessment processes to support adjustments to the audit plan or universe as they occur.
- A well-designed, comprehensive quality assurance program should ensure that internal audit activities conform to The IIA's professional standards and the organization's internal audit policies and procedures. The program should include both internal and external quality assessments.
- Each institution should conduct an internal quality assessment annually, and the CAE should report the results and status of internal assessments to senior management and the audit committee at least annually.
- The audit committee and the CAE are responsible for the selection and retention of internal audit vendors and should be aware of factors that may impact vendors' competence and ability to deliver high-quality audit services.
- When an organization relies significantly on the resources of an internal audit service provider, the organization should have contingency procedures for managing temporary or permanent disruptions in the service in order to ensure that the internal audit function can meet its intended objectives.
While not everyone may agree with the provisions of the Fed's new policy guidance, I do view it as a very positive development. Feel free to share your thoughts.