Whether your bank uses an in–house, an outsourced or co-sourced internal audit function, the internal audit program must be independent. And no matter the arrangement, management and the board have a degree of responsibility for internal audit’s efficacy—as such, they must accept ownership of this function even where it is fully outsourced.
As part of this, national chartered banks need to comply with the requirements issued by the Office of the Comptroller of the Currency (OCC) in October 2013 entitled “Third Party Relationships: Risk Management Guidance,” which deals with the selection and ongoing oversight of all critical third-party relationships, including outsourced or co-sourced internal audit arrangements. Although the guidance is addressed to national banks, it also establishes a best practices approach for state chartered banks that are supervised by the Federal Reserve or Federal Deposit Insurance Corp. The OCC guidance stipulates that banks must implement effective risk management processes to actively manage outsourced vendors, and that the roles and responsibilities for overseeing and managing all third-party relationships be specific and clearly defined. Therefore, whether the bank outsources or co-sources all or parts of an internal audit program, it does not diminish the responsibility of its board of directors and senior management with respect to overseeing and managing the program.
So the question becomes how best to manage outsourced or co-sourced internal audit relationships while optimizing the independence that is necessary for boards and audit committees in the fulfillment of their responsibilities.
Banks are deploying a variety of approaches driven by organizational structure, cost or culture. Sometimes these are successful, but they often fall short of regulatory expectations.
It is possible to achieve a quality internal audit program as long as the board and management adhere to a number of key principals and are truly committed to having an internal control environment that helps the bank manage its risks.
Our firm has helped hundreds of banks implement effective internal audit programs in both full outsourced and co-sourced scenarios. Some of the elements that we have found most critical to building an effective program include:
Corporate Governance: Corporate governance and the tone at the top is the foundation of an effective program. This entails setting up a structure that includes direct reporting to the chairman of the audit committee while, at the same time, having appropriate internal management oversight. Often that oversight resides with the chief risk officer of the bank. However, we have observed successful programs that use compliance officers or an in-house internal auditor. Independence is derived from board and management commitment, setting the tone and culture within the bank.
Internal Audit Risk Assessment and Audit Plan: The success of an internal audit program is highly dependent on identifying the risk profile of the bank and developing an appropriate audit plan that addresses those risks. Just a few of the areas complicating today’s bank risk environment include information security and technology driven service delivery channels, consumer compliance and BSA/AML compliance requirements and interest rate risk management.
Experienced and Qualified Internal Audit Team: A successful internal audit program is simply not possible without deploying the right expertise and experience to audit the different aspects of a bank’s business and compliance requirements.
A successful internal audit program is often accomplished by seeking an outsourced or co-sourced solution which, based on regulatory guidance, management is responsible for managing. However, independence does not need to be compromised—particularly if the bank culture and tone at the top are committed to an independent risk-based internal audit program.