SUMMARY OF THE ARTICLE

The federal banking regulators issued a joint Interagency Policy

Statement on the Internal Audit Function and its Outsourcing. In January
1998, the Basle Committee on Banking Supervision released a proposed
Framework for the Evaluation of Internal Control Systems. These 2 recent
releases by US and foreign bank supervisory authorities underscore the
increasing emphasis that banking regulators are placing on
bank internal control systems and on the internal audit function in
particular. This shift in focus is part of the bank regulatory community's
steady development of risk-based supervision as the dominant theme in
the oversight of banking organizations. Both releases are very useful for
discerning the current thinking of bank regulators, both here and abroad, on
bank internal control systems and internal audit programs. They also
demonstrate that effective risk management by banks and effective risk-
based supervision by regulators are highly dependent both on the
implementation of adequate internal control systems and on the vigilance
and competence of internal audit staffs.

The federal banking regulators concluded that the traditional

approach to bank examination and supervision was becoming increasingly
less adequate to the task. Transaction-based examinations, by which
agency examiners would visit a bank on a periodic basis and spend most of
their time reviewing loan files, are not much use in an era when banks are
increasingly incorporating derivatives, securities, a variety of off-balance-
sheet products, and electronic banking into their core businesses.

FINDINGS

Risk-based supervision, in the view of the regulators, makes for a

forward-looking, proactive supervisory program. Reliance on the old style of
supervision, which essentially was examination by hindsight, has largely
fallen from favor. The regulators have concluded that it doesn't do much
good to find problems after they have happened, especially at a time when
banks can transmit and deploy vast sums electronically in the twinkling of
an eye or through complex off-balancesheet devices. Thus, the agencies
have moved toward systemic examination and supervision, with an
attendant emphasis on internal control systems.

AUTHOR’S RECOMMENDATION / FINDINGS

The manner and frequency of reporting to senior management and

directors about the status of contract work; the protocol for changing the
terms of the service contract, especially for expansion of audit work if
significant issues are found; that internal audit reports are the property of
the institution, and that the institution will be provided with any copies of
related work papers it deems necessary, and that employees authorized by
the institution will have reasonable and timely access to the work papers
prepared by the outsourcing vendor; the locations of internal audit reports
and their related work papers ;that examiners will be granted immediate
and full access to the internal audit reports and related work papers
prepared by the outsourcing vendor; the method for determining who bears
the cost of consequential damages arising from errors, omissions, and
negligence;

OWN CONCLUSION

Therefore I conclude that the responsibility for the internal audit

function should be assigned to a member of management who understands
the function and has no operational responsibilities. The internal audit
function should be competently supervised and staffed by people with
sufficient expertise and resources to identify the risk inherent in the
institution's operations and assess whether internal controls are effective.