The document summarizes regulatory perspectives on bank internal controls and internal auditing. It discusses recent statements by US and foreign bank regulators emphasizing the importance of internal control systems and the internal audit function. Regulators have shifted focus to risk-based supervision and view internal controls and auditing as critical to effective risk management by banks and supervision by regulators. The traditional transaction-based bank examination approach is seen as increasingly inadequate, so regulators have moved toward examining systemic controls and risk management.
The document summarizes regulatory perspectives on bank internal controls and internal auditing. It discusses recent statements by US and foreign bank regulators emphasizing the importance of internal control systems and the internal audit function. Regulators have shifted focus to risk-based supervision and view internal controls and auditing as critical to effective risk management by banks and supervision by regulators. The traditional transaction-based bank examination approach is seen as increasingly inadequate, so regulators have moved toward examining systemic controls and risk management.
The document summarizes regulatory perspectives on bank internal controls and internal auditing. It discusses recent statements by US and foreign bank regulators emphasizing the importance of internal control systems and the internal audit function. Regulators have shifted focus to risk-based supervision and view internal controls and auditing as critical to effective risk management by banks and supervision by regulators. The traditional transaction-based bank examination approach is seen as increasingly inadequate, so regulators have moved toward examining systemic controls and risk management.
The federal banking regulators issued a joint Interagency Policy
Statement on the Internal Audit Function and its Outsourcing. In January 1998, the Basle Committee on Banking Supervision released a proposed Framework for the Evaluation of Internal Control Systems. These 2 recent releases by US and foreign bank supervisory authorities underscore the increasing emphasis that banking regulators are placing on bank internal control systems and on the internal audit function in particular. This shift in focus is part of the bank regulatory community's steady development of risk-based supervision as the dominant theme in the oversight of banking organizations. Both releases are very useful for discerning the current thinking of bank regulators, both here and abroad, on bank internal control systems and internal audit programs. They also demonstrate that effective risk management by banks and effective risk- based supervision by regulators are highly dependent both on the implementation of adequate internal control systems and on the vigilance and competence of internal audit staffs.
The federal banking regulators concluded that the traditional
approach to bank examination and supervision was becoming increasingly less adequate to the task. Transaction-based examinations, by which agency examiners would visit a bank on a periodic basis and spend most of their time reviewing loan files, are not much use in an era when banks are increasingly incorporating derivatives, securities, a variety of off-balance- sheet products, and electronic banking into their core businesses.
FINDINGS
Risk-based supervision, in the view of the regulators, makes for a
forward-looking, proactive supervisory program. Reliance on the old style of supervision, which essentially was examination by hindsight, has largely fallen from favor. The regulators have concluded that it doesn't do much good to find problems after they have happened, especially at a time when banks can transmit and deploy vast sums electronically in the twinkling of an eye or through complex off-balancesheet devices. Thus, the agencies have moved toward systemic examination and supervision, with an attendant emphasis on internal control systems.
AUTHOR’S RECOMMENDATION / FINDINGS
The manner and frequency of reporting to senior management and
directors about the status of contract work; the protocol for changing the terms of the service contract, especially for expansion of audit work if significant issues are found; that internal audit reports are the property of the institution, and that the institution will be provided with any copies of related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the outsourcing vendor; the locations of internal audit reports and their related work papers ;that examiners will be granted immediate and full access to the internal audit reports and related work papers prepared by the outsourcing vendor; the method for determining who bears the cost of consequential damages arising from errors, omissions, and negligence;
OWN CONCLUSION
Therefore I conclude that the responsibility for the internal audit
function should be assigned to a member of management who understands the function and has no operational responsibilities. The internal audit function should be competently supervised and staffed by people with sufficient expertise and resources to identify the risk inherent in the institution's operations and assess whether internal controls are effective.