MISSOURI INDEPENDENT BANKERS ASSOCIATION
Director’s Supplement
Is Your Internal Audit Program Stuck in the 1990s?
By: Bert Purdy, CPA, CTFA, is a Director with BKD, LLP
Remember in the 1990s when customers came into your
branches, loan terms were sealed with a handshake and closing
the year-end financial statements lasted until 1 a.m.?
A lot has changed in banking since the 1990s. Almost
everything now is done electronically, data is stored and
processed in the cloud and customers bank through mobile
devices. All this change in the last 25 years begs the question:
“Has your internal audit program changed?”
Regulatory agencies continue to update their expectations
for bank risk management programs. It’s become such a point
of emphasis that state member banks now receive formal risk
management ratings in their examination reports.
While risk management has many components, a robust
internal audit program is a foundational aspect of a solid risk
management program. Through the Interagency Policy
Statement on the Internal Audit Function and Its Outsourcing,
the agencies even mandate an internal audit function.
While internal audit is mandated, its form can be diverse.
You can insource, outsource or cosource your internal audit
plan. You can spend a lot of time performing internal audit
procedures for every activity in the bank, or you can focus on
high-risk areas.
Regardless of your bank’s approach, an efficient and
effective internal audit program today cannot be the same
program used 25 years ago. Here are three examples of “old”
methodologies and practices:
1. Reperformance – Internal audit is about identifying risks in
controls. Reperforming an activity only addresses its accuracy.
It will not identify a weakness in a control.
Many old internal audit programs still contain internal
audit procedures such as, “Reconcile the loan trial balance to
the general ledger.” Do you really want to pay an audit firm to
reconcile your general ledger accounts? Often, the procedure
represents reperforming work already performed.
The modern methods of performing internal audit
procedures of reconciliations are multifaceted and include:
 Agreeing the general ledger and subsidiary ledger to
source documents
 Determining whether the preparer and reviewer signed
and dated the reconciliation
 Assessing independence of the preparer and reviewer as
to the respective accounts
The most important step is assessing the independence of
the personnel responsible. Reconciliation can be completed
accurately by personnel who are not independent, but the risk
of having personnel who can post transactions to the respective
account is one of the most important things for management
and board of directors to know. Why should internal auditors
be so focused on segregation of duties? This is the primary
method by which fraud is perpetrated.
2. Risk Assessment – Most bankers despise the phrase “risk
assessment.” It’s understandable; bankers generally are
required to perform a formal risk assessment prior to initiating
any new activity, product or service. It’s also despised because
bankers generally perform a risk assessment anyway as part of
the decision to initiate any new activity, product or service,
even if it informal. A risk assessment is a process; it’s not a
document. Bankers always assess risks, though they don’t
always document the process and results. This is what truly
matters.
Your internal audit program always should be based on a
comprehensive risk assessment. Without assessing the risks
in the organization and allocating resources appropriately, you
may end up auditing low-risk items more often than needed.
Low-risk activities should be subject to internal audit, but not
too frequently. An internal audit program should be riskbased. Higher-risk areas should be audited more frequently.
Gone are the days of auditing everything every year.
3. Generalists – A major concern, especially with banks that
have internal auditors on staff, is whether personnel have the
ability to perform some of the more complex areas of the
internal audit plan.
Information technology reviews, ACH audits, trust audits
and regulatory compliance reviews require specific
knowledge and training to perform an effective internal audit.
It’s highly unlikely one individual—internal or third-party—
will have the skills to audit all of these and the general
operational areas of the bank.
These are just three of the antiquated internal audit practices
still living in financial institutions today. Now is the time to
look at your internal audit program or question your internal
audit provider and make sure your internal audit program has
progressed out of the 90s.
__________________________________________
Bert Purdy, CPA, CTFA is a Director with BKD, LLP and can be
reached at [email protected]
This article is for general information purposes only and is not to be
considered as legal advice. This information was written by qualified,
experienced BKD professionals, but applying this information to your
particular situation requires careful consideration of your specific
facts and circumstances. Consult your BKD advisor or legal counsel
before acting on any matter covered in this update.
Article reprinted with permission from BKD, LLP, bkd.com. All
rights reserved.