advertisement
Home
News
Sports
Suburban Business
Entertainment
Lifestyle
Opinion
Classifieds
Obituaries
Shopping
Newspaper Services
Business

Considerations when evaluating your internal audit program

Posted January 19, 2017 12:00 am

In today's ever-expanding risk environment, institutions need to be responsive in their internal audit program's ongoing design.

As noted in interagency guidance, the board and senior management are responsible for ensuring the internal control system is effective. An important element in assessing its effectiveness is the internal audit function.

Consider these concepts when evaluating your program.

Establish a policy

To assist in carrying out their responsibilities, the board or audit committee should establish an audit policy outlining the internal audit function's framework. The policy should define

an objective and incorporate such components as reporting requirements, independence considerations and establishing outsource relationships, to name a few. The policy should consider the institution's size and complexity.

Use your risk assessment

Institutions know the importance of risk assessments. Regulatory authorities have emphasized developing entitywide comprehensive assessments and maintaining assessments specific to key compliance and operational functions.

To develop an effective internal audit risk assessment, the institution's risk profile and strategic plan need to be considered. Once addressed, the most important step is identifying risks within the audit universe. If you don't identify a risk, then you can't measure and manage it. To effectively do this, you need a thorough understanding of the business lines' operations and activities, so solicit input from appropriate personnel during the process.

Measure all auditable areas for inherent and residual risk. It's important to identify the controls being relied upon to determine residual risk as this is pertinent in the design of the testing procedures.

Determine an appropriate cycle

The frequency and depth of the audits should be commensurate with the institution's risk level. Areas identified as high risk should be addressed at least annually; lower risk areas may be limited to a biennial or triennial audit cycle, or it may be appropriate to not test an area. It's no longer proper to test every audit area each year, a common practice years ago. Today, the audit function requires risk-based audit planning. This approach can effectively use resources and provide a more meaningful effect to improve the institution.

The audit procedure's design should align with the identified risks. As previously mentioned, determining which controls are relied upon in the residual risk assessment process drives the testing procedures. In addition, consider past results. Audit procedures that have resulted in previously reported findings should be included in the procedures' design and may likely warrant larger sample sizes.

Approve the plan & have personnel to execute

The internal audit plan, including risk assessment, should be presented and approved by the audit committee at least annually. It's critical that those responsible for performing internal audit procedures possess the necessary skills and are independent from the business process. As a result, many institutions find it necessary to outsource some or all of the testing to third parties.

It's important to understand that outsourcing doesn't absolve the board and senior management of its responsibilities for ensuring an effective internal control system.

Create action plans, be accountable

Internal audit testing should be accompanied by written reports that clearly communicate the scope and findings.

It's management's responsibility to respond to these results by defining a correction action plan and a targeted remediation date. As it's important for management to develop a correction action plan, it's equally important to hold management accountable by designing audit procedures to test the execution of action plan items.

These are just a few concepts to consider when evaluating your internal audit program. An effective internal audit program achieves the audit policy's objectives and is efficient. If appropriately administered, it also will identify opportunities for process improvements, promote a culture of compliance, create accountability and help reduce mistakes.

• Ken Bishop is a partner with BKD National Financial Services Group who specializes in managing engagements with a focus on risk management services. For more, contact him at (630) 282-9512 or kbishop@bkd.com.

Background from money - 1, 5, 10, 50 dollars
The internal audit plan, including risk assessment, should be presented and approved by the audit committee at least annually.
0 Article Comments
Article Categories
Business Finance
Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.
Back To Top
About Us
Staff
Quick Links
Advertising
Services
Copyright © 2024 Paddock Publications, Inc., P.O. Box 280, Arlington Heights, IL 60006
Paddock Publications, Inc. is an Employee-Owned Company