Embed Size (px)
Citation preview
Internal/External Audit and Internal Controls
February 23, 2000
David Dudley
Federal Reserve Bank of NY
2
Outline of Presentation
Internal Control Concepts
Role of Internal and External Audit
3
Definition of Internal Control
Internal control is a process effected by an entity’s Board of Directors and Senior Management and other personnel designed to provide reasonable assurance regarding three objectives and five components
4
Three Objectivesof Internal Control
Effectiveness and efficiency of operations (including safeguarding of assets)
Reliability of financial reporting
Compliance with applicable laws and regulations
5
Five Componentsof Internal Control
Control Environment - “tone at the top”
Risk Assessment - management’s identification of key risks
Control Activities - entity level and activity level
Information and Communication - internal and external
Monitoring - adequacy of controls over time
6
Control Environment
Integrity and Ethical Values
Commitment to Competence
Management’s Philosophy/ Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Board of Directors and/or Audit Committee Participation
Human Resources Policies and Procedures
7
Risk Assessment Objectives
Identification and analysis of objectives
Activities to achieve objectives
Risk exposure
Management of risk exposure
8
Control Activities
Two elements:– Policies– Procedures
9
Types of Control Activities
Authorization or approval
VerificationReconciliationSegregation of dutiesOperating performance
reviewsSecurity of assets
Physical/logical security reviews
Supervisory reviewsTwo week vacation
policySystem checksLimitsReview of MIS data
10
Information andCommunications
Identification
Capture
Exchange
11
Monitoring
Ongoing Activities
Separate Evaluations
12
Context of Controls
A function of Entity’s:– Size, organization, ownership– Nature of business– Diversity and complexity– Methods of transmitting, processing and
retaining information– Applicable laws and regulations
13
Preventative vs.Detective Controls
Preventative - prevents undesirable events
Detective - detects errors and irregularities that have already occurred
14
LimitationsSmall Offices
Collusion
Ignorance
Pace of business/Growth
Judgment
Cost
Management override
15
International Emphasison Internal Controls
Basel Committee on Banking Supervision
Framework for the Evaluation of Internal Controls
– Policy Statement finalized September 1998
– Identifies Causes of Recent Banking Problems
16
Internal Control Breakdowns - Basel Report ConclusionsLack of adequate management oversight and
accountability; failure to develop a strong control culture
Inadequate assessment of the risks of certain banking activities
Absence or failure of key control structures and activities
Inadequate communication of information between levels of management
Inadequate or ineffective audit programs and other monitoring activities
17
Internal Control Breakdowns
Causes:– Inadequate evaluation of new business risks
– Insufficient segregation of duties
– Ineffective management oversight
– Absence of a separate monitoring mechanism
18
Internal Control Breakdowns
Internal audit deficiencies– Untimely or piecemeal audits
– Ineffective follow-up
– Unfamiliarity with business procedures
– No training in sophisticated areas
19
Framework for theEvaluation of Internal Controls
Purpose: To be used by bank regulators to evaluate internal control systems
Consists of thirteen general principles applicable to all banking institutions
20
Thirteen Principles
Management Oversight (3)
– Board should approve strategies, policies and risk appetite
– Senior management should implement board strategies and policies
– Board and senior management should promote high ethical standards
21
Thirteen Principles
Risk Recognition Assessment (1)– Senior management should identify and
evaluate risk factors
Control Activities and Segregation of Duties (2)– Control activities should be integral part of
daily activities of institution
– Senior management should ensure appropriate segregation of duties
22
Thirteen Principles
Information and Communications (3)– Senior management should have adequate
and comprehensive data
– Senior management should create effective channels of communication for relevant information concerning significant activities
– Senior management should develop appropriate information systems for all activities
23
Thirteen Principles
Monitoring Activities and Correcting Deficiencies (3)– Senior management should monitor
overall effectiveness of internal controls
– Audit should perform effective and comprehensive audits
– Audit will ensure that internal control deficiencies promptly reported to management
24
Thirteen Principles
Evaluation of Internal Control Systems by Supervisory Authorities (1)– Supervisors should require all banks to have
effective internal control systems
25
Comprehensive Internal Controls
Key elements of internal controls:
– Adequate segregation of duties
– Independent testing - e.g., audit
– Appropriate to the type and level of risks
– Clear lines of authority and responsibility
– Appropriate reporting lines
26
Role of External Audit
Macro Level
Depends upon services provided:– Financial Statement Audit – Directors Examination – Consulting
27
Evaluation of External Audit
Depends upon the services provided
Review of financial statements and management letters
Discussion of key risks
Review of work papers
28
Role of Internal Audit
Detail-oriented
An independent assessment of the effectiveness of internal controls
29
Evaluation of Internal Audit
Overall effectiveness of the function:– Independence– Mission– Resources/qualifications/skills– Interaction with Senior Management
30
Mission
Audit Charter– Roles, reporting lines and responsibilities
– Full access to all information
31
Independence
Reporting line:– Domestic - Audit Committee of the Board of
Directors
– US branches and agencies of foreign banks - head office audit
– Administrative reporting line to Senior Management
Includes approval of the annual plan, salary, budgets and sign-off on the annual appraisal
32
Audit Resources
Sufficiency of resources
Qualifications of staff
Skill level and training
33
Interaction withSenior Management
Level of audit within the organization
Audit’s dealings with Senior Management
Prompt resolution of issues by management
34
Quality Timeliness
Risk assessment methodology
Annual audit plan
Types of audit coverage
Audit programs
Audit reports and work papers
Audit follow-up
35
Risk Assessment Methodology
Identification of key risks within the institution
Format of the methodology:– Risk-based– Qualitative and/or quantitative factors– Combination of risks and/or other factors
36
Sample Factors - Risk Assessment
Credit riskMarket riskLiquidity riskOperations riskReputational riskLegal risk
Fraud riskTrading riskCredit and sales riskControl environmentReporting riskRevenue or expense
volatility
37
Sample Factors - Risk Assessment
– Transactional values/volumes and changes
– Error impact– Nature of process– Reliance on data– Access to physical
assets– Economic or
political trends
– Quality of management or department head
– Staff quality and changes
– Degree of management judgment and quality of supervision
– Product changes– Legal/regulatory
impact
38
Annual Audit Plan
Based upon the risk assessment methodology
Normally part of a multi-year cycle
Approved by the Board of Directors or head office audit
Quarterly - Updates to the plan
Detailed analysis of changes to the plan
39
Types of Audit Coverage
Full scope audits
Control self-assessments
Key control or risk reviews
Targeted audits
Continuous monitoring
Conversion/system development audits/ data center and application reviews
40
Audit Programs
Detailed programs for each auditable area
Completed during the first audit and subsequently updated
Coverage of key risks and controls in the area
Appropriate sampling methodology
41
Audit Reports and Work Papers
Audit Reports
Detailed Analysis– executive summary– description of the work performed– analysis of conditions and/or rating
Audit Work Papers– proper documentation and cross-
referencing– appropriate narratives and conclusions
42
Exception Follow-up
Tracking system or methodology– Issue/Problem, Status of corrective action,
Accountability, Timeframe
Head Office Commitment and Support
Significant items cleared in a timely manner– Progress, Approval
43
Audit Outsourcing
The performance of internal audit activities by an external party such as a CPA firm.
Co-sourcing, contracting
Issues:– Independence, conflict of interest,work
management, understanding of the corporate culture, continuity
44
Overall Evaluation of Internal Audit
Positive evaluation - determine extent of reliance on internal audit
Issues - include in the examination report
Annually - analyze changes in audit
45
Relying upon External Audit
Nature of the work performed– Financial audits– Other control reviews– Outsourcing or Co-sourcing
The End
